Wireshark · Ethereal-dev: Re: [Ethereal-dev] RFC: ability to show protocol field errors

[Guy Harris <guy@xxxxxxxxxxxx>]

On Sat, Sep 20, 2003 at 11:04:49AM +0200, Matthijs Melchior wrote:
> Yes, I have been experimenting with an enum added to field_info and
> using that to set the background color of protocol tree item.

What are the values of the enum?

I.e., it presumably means you can tag fields as more than just errors;
what other tags can be applied?  (Or is it an enum with two values now -
"OK" and "Error" - and the possibility of adding more values?)

> This color
> is also applied to all enclosing pdu's in order to notice the presence
> of a property without having to expand all sublevels.

By "enclosing PDUs" do you mean the protocol layers above the one that
got the error?  Or did you mean "enclosing protocol tree items"?

> This enum is to be set based on the outcome of the packet selection
> expression and your proposal would be implemented using the following:
> "tcp.checksum_bad == 1 || frame".

Why "|| frame"?  That's true of every packet, so that expression always
evaluates to "true", right?

Olivier suggested a Boolean for a field that's independent of its value,
so that you could have, for example, a bogus packet type value, or an
incorrect length field, or... marked as an error; an incorrect checksum
would also be so marked.

If we did that, we should probably have a display-filter expression that
evaluates to "true" if a packet contains a field marked as "bad"; with
that, the protocol tree item colorization filter expression could be
just "error" (or something such as that).  That'd also let you filter
for bad packets, and find bad packets with "Find Frame".