Gilbert Ramirez said:
> On Wed, 2004-03-10 at 11:37, Soft Boy wrote:
>> Hi All,
>>
>> I have a requirement to filter packets stored in plain buffers. What I
>> need is a good filter syntax and its parser (which ethereal display
>> filters have) and a way to match filters to packets stored in byte
>> stream array.
>>
>
> The display filter mechanism is tied very closely to ethereal's model of
> a *dissected* packet, where fields and their values are layed out in the
> tree structure. Imagine the protocol tree in the middle pane of the
> ethereal GUI... that's the structure that the display filter mechanism
> works on.
I.e., in order to use Ethereal display filters, he'd need to have a very
large fraction of Ethereal's code, including dissectors for the protocols
whose fields he'll be using in the display filter, and the support code
for dissectors, as well as the display filter code itself.
>> Can I use ethereal display filters directly to do this using any
>> command apart from the GUI ?
Tethereal could do that on a capture file - but not on raw packet data in
buffers; the packet data would have to be converted into a capture file.
>> OR if this is not possible.. Can I use
>> any of the display filter APIs in ethereal code and write my own main
>> function to remove capture filter capability and other unncessary
>> stuff OR Can I extract the display filter parsing and matching code
>> with little efforts and write my own application ??
Those could probably be, in theory, done, but it'd probably take more than
"a little effort".
>> Is the display filtering done using BPF program like pcap_compile
>> prepares for capture filters ??
No.
>> OR does it have any other mechanism to do this ??
Yes.
