Wireshark · Wireshark-dev: Re: [Wireshark-dev] Should I create virtual fields for use in display filters

[Jeff Morriss <jeff.morriss@xxxxxxxxxxx>]

Guy Harris wrote:
> Hal Lander wrote:
> > I would like to give users of my dissector a quick and easy way to find 
> > any packets that have been sent which are not of the expected size. To 
> > me, as a newbie, the obvious way to do this would be to allow them to 
> > filter packets based on expected and actual packet sizes.

[...]

> > Is there a more correct/better way of achieving what I want. for example 
> > is there already some way to filter on "actual" packet size without the 
> > need for me to create a field.
>
> There's no way to filter on the actual size of a packet at an arbitrary 
> protocol layer.
>
> However:
>
> 	if the packet is too short, and the dissector is dissecting all the 
> fields of a packet, it will probably get an error when it tries to fetch 
> a field that would be past the end of the packet, and the packet will be 
> flagged as "malformed", so you can use the filter "malformed";
>
> 	if a packet is too long, your dissector could define a field for extra 
> data at the end of the packet, and dissect the extra data at the end of 
> the packet as with that field, and you could filter for that field.

If your dissector can know the actual size (as pointed out by Guy) and 
it also knows (based on the message type) the expected size, you could 
also add a boolean to the tree (using PROTO_ITEM_SET_GENERATED(), of 
course) whose value is (actual_size == expected_size).  Then users could 
filter based on "yourproto.size_mismatch == TRUE".