Wireshark · Wireshark-dev: [Wireshark-dev] Setup the filter as string instead of frame[start offset:length]

[Pascal Quantin <pascal.quantin@xxxxxxxxx>]

Le jeudi 9 août 2012, Kumar, Chandan (Chandan) a écrit :

 

My request as follows:

Could you, please help me to make change in Wireshark so that I would be able to select IE by means of filter like others element?

 

I want to make IE’s as a filterable field instead of displaying frame [start offset: length]

 

Did some change for this into epan/proto.c file in Wireshark – 1.6.2

Line number---->6934

 

ptr += g_snprintf(ptr, (gulong) (buf_len-(ptr-*filter)), "frame[%d:%d] == ", finfo->start, length);   

 

this line I have change like

ptr += g_snprintf(ptr, (gulong) (buf_len-(ptr-*filter)),"%s == ", finfo->rep->representation);

 

I am able to see the strings which want to make filterable using (Apply as filter ---> Selected) but some wrong message windows came & stop the parsing for new filter.

Attaching two snap shot 1^st with the Wireshark filter & 2^nd what I have implemented.

Hi Chandan,

As indicated by Gilbert your screeshots were not forwarded to the list.

Given the line number you modified, it looks like the field you want to filter is defined as FT_NONE. Hacking in proto.c is probably not what you want to do and instead you should change the protocol dissector code so as to use a more friendly filter format.

If you can share with us more information on the protocol used and field you want to filter, we might be able to help you.

Regards,

Pascal.