Wireshark · Ethereal-dev: RE: [Ethereal-dev] Would it be possible to allow filter expressio ns like:

Ethereal-dev: RE: [Ethereal-dev] Would it be possible to allow filter expressio ns like:

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Biot Olivier <Olivier.Biot@xxxxxxxxxxx>

Date: Mon, 8 Mar 2004 09:37:33 +0100

|From: Richard Sharpe
|
|Hi,
|
|It would seem that there is utility in allowing expressions like:
|
|   ip.len > (ip.hdr_len + tcp.hdr_len)
|
|Now, I know that the way to express what I want is tcp.len > 0, but I 
|think there will be times when someone wants to specify a filter 
|expression that uses the sum of other fields ...

The only problem I see is that a given field can occur more than once in a
packet. Consider IP over IP as a scenario. How would your expression
evaluate in this case?

That's also the reason I'd like to have the possibility to store the
"protocol tree" for each packet in the packet_info structure, so we could
"stick" protocol fields for a given expression to a given position in the
stack.

Solving the latter issue requires Ethereal to be able of distinguishing the
case of "protocol X running on top of protocol X" from the case of
"encapsulated protocol X PDUs", which is not available today. Example: X11
traffic often consists of a concatenation of X11 operations conveyed within
one TCP segment.

Regards,

Olivier

Prev by Date: RE: [Ethereal-dev] Patch to make ethereal-0.10.2 work on Cygwin w ith packet capture
Next by Date: Re: [Ethereal-dev] Patch to make ethereal-0.10.2 work on Cygwin w ith packet capture
Previous by thread: Re: [Ethereal-dev] I just want to know whether there has beenanyattempt to developed a web based version of ethereal.
Next by thread: [Ethereal-dev] tethereal segfaults when using ring buffer
Index(es):
- Date
- Thread