Wireshark · Ethereal-dev: Re: [Ethereal-dev] Display filter working

[Gilbert Ramirez <gram@xxxxxxxxxxxxxxx>]

On Wed, 2004-03-10 at 11:37, Soft Boy wrote:
> Hi All,
>  
> I have a requirement to filter packets stored in plain buffers. What I need is a good filter syntax and its parser (which ethereal display filters have) and a way to match filters to packets stored in byte stream array.
>  

The display filter mechanism is tied very closely to ethereal's model of
a *dissected* packet, where fields and their values are layed out in the
tree structure. Imagine the protocol tree in the middle pane of the
ethereal GUI... that's the structure that the display filter mechanism
works on.

For a buffer of bytes, tcpdump filters (a.k.a, libpcap filters, a.k.a,
ethereal capture filters) are the way to go. You'd want to link to the
pcap library, possibly modified, to use those.


> Can I use ethereal display filters directly to do this using any command apart from the GUI ? OR if this is not possible.. Can I use any of the display filter APIs in ethereal code and write my own main function to remove capture filter capability and other unncessary stuff OR Can I extract the display filter parsing and matching code with little efforts and write my own application ??
>  
> Is the display filtering done using BPF program like pcap_compile prepares for capture filters ?? OR does it have any other mechanism to do this ?? Where can I find more information about it ? Is there any thread/document which describes this mechanism ?? 
>  
>

There's a very very brief overview of the major parts of the display
filter mechanism in docs/README.developer, section 5.0. But it doesn't
go into much detail.

--gbilert