Wireshark · Ethereal-dev: Re: [Ethereal-dev] dfilter-modifications and inclusion of lib_ethereal.so

[Guy Harris <gharris@xxxxxxxxx>]

Håvard H Garnes wrote:
> man, 18,.07.2005 kl. 00.59 -0700, skrev Guy Harris:
>
> > So what's the difference between libethereal, a library that's already 
> > built as part of Ethereal (although note that we do *NOT* yet guarantee 
> > that its API will not change in incompatible ways!) and lib_ethereal?
>
> Unknown. I did not worite lib_ethereal. the original patch was written
> for ethereal 0.9.16 - perhaps there was no libethereal at the time.

There wasn't.

You might want to see whether linking with libethereal in an unmodified 
Ethereal 0.10.11 works.

> > > The new filter-addition is the keyword "return 'field'" which returns
> > > the field-value in place of a gboolean from dfvm_apply.
> >
> > Do you have an example of how that would be used?
>
> this could be used to do for example
>
> return http.request.host
> or
> return mime_mulitpart.type
> or
> return ip.len
>
> or almost any header or prootocol-information ethereal can handle.

So would that be used as part of a display filter, or would that be the 
entire filter expression?

I.e., is this just a way to request the value of (the first instance of) 
a particular field in a packet?  If so, there might now be APIs to 
extract that, which applications that would use that keword would use.