Wireshark-dev: [Wireshark-dev] Should I create virtual fields for use in display filters
From: "Hal Lander" <[email protected]>
Date: Sun, 26 Nov 2006 08:47:59 -0900
I would like to give users of my dissector a quick and easy way to find any packets that have been sent which are not of the expected size. To me, as a newbie, the obvious way to do this would be to allow them to filter packets based on expected and actual packet sizes.
To do that I think I need fields for the "actual" and "expected" packet 
size.
The packets in my protocol do not contain a field for the "expected" size, 
though it can be deduced from the message type.
The "actual" size could be obtained from tvb_length(tvb).

Should I create fields for the "actual" and "expected" sizes even though these fields don't actually exist in the data?
If I do what should I get Wireshark to highlight e.g. for the "expected" 
size should Wireshark highlight the data in the header showing the message 
type?
Is there a more correct/better way of achieving what I want. for example is 
there already some way to filter on "actual" packet size without the need 
for me to create a field.
Regards
Hal

_________________________________________________________________
View Athlete’s Collections with Live Search http://sportmaps.live.com/index.html?source=hmemailtaglinenov06&FORM=MGAC01