Wireshark-dev: Re: [Wireshark-dev] How do display filters work internally?
From: "Maynard, Chris" <[email protected]>
Date: Mon, 23 Jan 2012 12:14:11 -0500
> -----Original Message-----
> From: [email protected] [mailto:wireshark-dev-
> [email protected]] On Behalf Of Joerg Mayer
> Sent: Thursday, January 19, 2012 5:41 PM
> To: [email protected]
> Subject: [Wireshark-dev] How do display filters work internally?
> 
> Hello List,
> 
> I fail to understand how display filters work internally. I'm still
> trying to get my generic ip.addr filter working, but I seem to lack
> some understanding on how display filters work.
> 
> It looks like putting an "alien" protocol filter into the hf array will
> work, as ip.version inside packet-ipv6.c shows: The field is shown and
> filterable.
> Putting the ip.addr field vom packet-ip.c into all uses of ipv4
> addresses (everything of type FT_IPv4) will show it, but it won't be
> filterable (neither existence nor value).
> 
> Can someone please fill in some info how display filtering works?
> 
> Thanks
>    Joerg
> --

I think the problem is that TRY_TO_FAKE_THIS_ITEM() has a return path such that the count for hf_ip_addr doesn't get incremented as it should.

Attached is a patch that works for proto_tree_add_ipv4().  I made no attempt to "prettify" the patch; it's just a quick hack to get it to work, so cleanup is needed and proto_tree_add_item() still needs attention, as does proto_tree_add_ipv4_format_value() and proto_tree_add_ipv4_format().  I did test this with an "ip.addr" filter and it matched IP addresses in the IP protocol, but also with some bootp traffic.

- Chris

-- 

Attachment: ip.addr.proto-v4.patch
Description: ip.addr.proto-v4.patch

CONFIDENTIALITY NOTICE: The information contained in this email message is intended only for use of the intended recipient. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately delete it from your system and notify the sender by replying to this email.  Thank you.