Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] New feature: custom columns

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 09 Apr 2008 12:22:44 -0700
Maynard, Chris wrote:

One more thing, after alphabetizing the column choices in the last
patch I submitted, it seems to me that there are quite a few
redundancies. For example:

1) Hardware src addr <=> Hw src addr (resolved)
2) Hardware dest addr <=> Hw dest addr (resolved)
3) Source port <=> Src port (resolved)
4) Destination port <=> Dest port (resolved)

They're not *supposed* to be the same; "Hardware src addr" is supposed to show the resolved address if MAC-layer address resolution is enabled and the unresolved address if it's not enabled. "Enabled" and "disabled" here mean enabled or disabled by the preferences file, the "-n" or "-N" flags, or the "Name resolution" item in the View menu.

If that doesn't work, that's a bug.

5) Source address <=> Src addr (resolved) <=> Network src addr <=> Net src addr (resolved)
6) Destination address <=> Dest addr (resolved) <=> Network dest addr <=> Net dest addr (resolved)
7) Src addr (unresolved) <=> Net src addr (unresolved)
8) Dest addr (unresolved) <=> Net dest addr (unresolved)

"Source address" and "destination address" fields should show the network address if the packet *has* a network address and the MAC address if the packet doesn't have a network address.

If that doesn't work, that's a bug. (It works in at least one capture I have; ARP packets show the MAC source and destination address, and DHCP and OSPF packets show the IPv4 source and destination addresses.

The "XXX (resolved)" versus "XXX" issues are as above.