Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Filtering

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Tue, 31 Mar 2009 15:32:20 -0400
As far as I know, anything added via proto_tree_add_text() is non-filterable.
Below from doc/README.developer:

proto_tree_add_text()
---------------------
proto_tree_add_text() is used to add a label to the GUI tree.  It will
contain no value, so it is not searchable in the display filter process.
This function was needed in the transition from the old-style proto_tree
to this new-style proto_tree so that Wireshark would still decode all
protocols w/o being able to filter on all protocols and fields.
Otherwise we would have had to cripple Wireshark's functionality while we
converted all the old-style proto_tree calls to the new-style proto_tree
calls.  In other words, you should not use this in new code unless you've got
a specific reason (see below).

This can also be used for items with subtrees, which may not have values
themselves - the items in the subtree are the ones with values.

For a subtree, the label on the subtree might reflect some of the items
in the subtree.  This means the label can't be set until at least some
of the items in the subtree have been dissected.  To do this, use
'proto_item_set_text()' or 'proto_item_append_text()':

- Chris

> -----Original Message-----
> From: gogrady@xxxxxxxxx [mailto:gogrady@xxxxxxxxx]
> Sent: Tuesday, March 31, 2009 2:56 PM
> To: Developer support list for Wireshark
> Cc: Maynard, Chris
> Subject: Re: [Wireshark-dev] Filtering
> 
> hello,
> 
> Sorry to bother again, but i did have another question. If i use
> proto_tree_add_text( ); for all my other branches, but still want to be
> able to filter them, is there a way i can make a variable like
> hf_icom_message, and set it to a value in dissect_icom() to be able to
> filter it? For example, make:
> 
> { &hf_icom_message,
> 	{"Message", "icom.message",
> 	FT_UINT16, BASE_DEC,
> 	NULL, 0x0,
> 	NULL, HFILL }
> }
> 
> and have somewhere hf_icom_message = 6; in dissect_icom()
> 
> and not use it for outputting anything, but just so i would be able to
> filter in wireshark with something like icom.message==6?
> 
> Thanks,
> 
> Greg
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube