Wireshark · Ethereal-dev: RE: [Ethereal-dev] RFC: Possible change in FT_BYTES dfilter synta x

[Biot Olivier <Olivier.Biot@xxxxxxxxxxx>]

> From: Guy Harris
> 
> On Wednesday, July 9, 2003, at 9:58 PM, Gilbert Ramirez wrote:
> 
[...]

> A scheme wherein the scanner did as little work as possible, and the 
> interpretation of tokens was done by, for example, code 
> associated with 
> a given FT_ type, might be more easily extensible.

But then you loose the flexibility of doing e.g., byte pattern searches in a
FT_STRING.

> > I'd like to get a feel for how badly this change would 
> affect people. 
> > If
> > breaking this would cause too much hardship, I won't do it. 
> I can work
> > around the 3 syntaxes for byte strings. I'm contemplating 
> this change
> > because it makes it easier and cleaner to implement a 
> "contains" test.
> > I.e., I have the following dfilter syntax working:
> >
> > http contains "jpg"
> > frame contains 00:07
> >
> > The "contains" test works on protocols, strings, and 
> byte-strings (and
> > derivatives).
> 
> So that sounds like a case where 0.7 would have to be a byte string.

Why not use implicit typing of a search pattern if possible, and require
explicit typing otherwise? Something enclosed with <"> or <'> means string
lookup, require byte patters also to start with a colon, etc?