Thanks for both of your ideas. What bothers me with Michaels'idea is
that I wonder how many wireshark users know of or use "contains" and
"matches" compared to eq or == keywords. From that point of view,
Jeff's idea looks as a good idea.
On Thu, Oct 27, 2011 at 3:34 PM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
>
> Teto wrote:
>>
>> Hi,
>>
>> Just had a question about what's the best practice. I have a packet
>> with a field contianing several keywords. I intend to split those
>> keywords so that one can filter display based upon a keyword.
>> My problem is am compelled to display each keyword separately (one
>> itemp per kewyord and group them in a subtree) or could I display all
>> of them in one item in the main tree (my preference) and then create
>> several hidden fields (one per keyword). I wonder if that last
>
> Why not combine the two? Put one item (or maybe even just a text entry--from proto_tree_add_text()) with all the keywords (possibly added with proto_tree_append_text()) and then create a subtree below that with each keyword individually?
>
> This is how we get, for example, nice summary lines for the TCP protocol (including port numbers, etc.) while keeping the port numbers themselves as separate filterable items in the TCP subtree.
