Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Query on Field Registration

From: "Kumar, Hemant" <kumarh@xxxxxxxxxxxx>
Date: Thu, 3 Jul 2008 14:43:32 -0700
Hello

Thanks!!
Yes I completely agree with you but tcp.flags.syn appears because we have already registered a field with the name tcp.flags.syn.

What I want to know is that whether such a tree like structure which appears in the details pane is possible in the Filter Expression Dialog Box?
And I don't want to register fields like tcp.flags.syn rather register them individually i.e. register flags separately, syn separately and let the wireshark make the filter expression depending upon the selection in the Filter expression dialog box.

I guess this has not been implemented for Filter Expression Box, but still I wanted to know if it is possible to work around.

Thanks
Hemant


-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Abhik Sarkar
Sent: Thursday, July 03, 2008 1:36 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Query on Field Registration

Isn't _something_ like what you want already present. I agree it is
not _exactly_ the same, but it is very similar. Taking your example of
the TCP protocol:
- Select any frame.
- In the Packet Details pane
 - click + to expand the TCP protocol
 - click + to expand the Flags.
- Select a flag of your choice (e.g. SYN)
- Right-click and choose "Prepare a filter > Selected", and
""tcp.flags.syn == X" appears in the display filter field!

Regards,
Abhik.

On Thu, Jul 3, 2008 at 11:09 PM, Kumar, Hemant <kumarh@xxxxxxxxxxxx> wrote:
> So that if user wants to select fetch all the messages having subfield == X
>
> He should go in the expression window and not put Protocol.Field.subfield ==
> X, but rather just go on hitting on the + buttons and the subtree should
> appear below it and he can set the parameter for that field and the
> wireshark will automatically form the expression based on the user selction
> of trees and subtrees so basically I don't want to put
>
>
>
> Protocol.Field.subfield beforehand in the expression window but rather just
> firstly just Protocol will appear then on hitting + for protocol, Field will
> apper and then on hittin + for Field subfield should appear and then user
> can set subfield == x and in the expression bar, automatically wireshark
> will put the expression Protocol.Field.subfield.
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev