Wireshark · Ethereal-dev: Re: [Ethereal-dev] dfilter-modifications and inclusion of lib_ethereal.so

[Håvard H Garnes <hhg@xxxxxxxxxx>]

man, 18,.07.2005 kl. 00.59 -0700, skrev Guy Harris:
> Håvard H Garnes wrote:
> > Hello. As part of mapi-development (mapi.uninett.no) I have made this
> > patch to ethereals dfilter to extract information from packets. 
> > 
> > Ths patch also includes lib_ethereal, which was developed as part of the
> > scampi-project (ist-scampi.org) to link an ethereal-library into mapi
> > for packet and protocol analysis.
> 
> So what's the difference between libethereal, a library that's already 
> built as part of Ethereal (although note that we do *NOT* yet guarantee 
> that its API will not change in incompatible ways!) and lib_ethereal?

Unknown. I did not worite lib_ethereal. the original patch was written
for ethereal 0.9.16 - perhaps there was no libethereal at the time. I
don't know. I only adapted the original lib_ethereal-patch.

> 
> > The new filter-addition is the keyword "return 'field'" which returns
> > the field-value in place of a gboolean from dfvm_apply.
> 
> Do you have an example of how that would be used?

this could be used to do for example

return http.request.host
or
return mime_mulitpart.type
or
return ip.len

or almost any header or prootocol-information ethereal can handle.
Exactly what information is most relevant to extract I don't know, but I
would guess that things like ip.len and other numbers are the most
interesting fields to extract for analysis.

> "grammar.c" is generated from "grammar.lemon", so it's sufficient to 
> supply a patch for "grammar.lemon".


oops. I realy knew that. I must have missed it when I cleaned the patch
up.

Håvard