Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Setup the filter as string instead of frame[start offset:len

From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Fri, 10 Aug 2012 09:53:15 +0200
Le 10 août 2012 à 08:20, "Kumar, Chandan (Chandan)" <chandan.kumar@xxxxxxxxxxxxxxxxxx> a écrit :

Could you, please help me to make change in Wireshark so that I would be able to select IE by means of filter like others element?
 
I want to make IE’s as a filterable field instead of displaying frame [start offset: length]
 
I Did some change for this into epan/proto.c file in Wireshark – 1.6.2
Line number---->6934
 
ptr += g_snprintf(ptr, (gulong) (buf_len-(ptr-*filter)), "frame[%d:%d] == ", finfo->start, length);   
 
this line I have change like
ptr += g_snprintf(ptr, (gulong) (buf_len-(ptr-*filter)),"%s == ", finfo->rep->representation);
 
I am able to see the strings which want to make filterable using (Apply as filter ---> Selected) but some wrong message windows came & stop the parsing for new filter.
 
What I have to do to display correctly.

Please have a look at the answer I sent yesterday:

"Hi Chandan,
As indicated by Gilbert your screeshots were not forwarded to the list.
Given the line number you modified, it looks like the field you want to filter is defined as FT_NONE. Hacking in proto.c is probably not what you want to do and instead you should change the protocol dissector code so as to use a more friendly filter format.
If you can share with us more information on the protocol used and field you want to filter, we might be able to help you."

As indicated in README.developer file:
"FT_NONE: no field type. Used for fields that aren't given a value, and that can only be tested for presence or absence; a field that represents a data structure, with a subtree below it containing fields for the members of the structure, or that represents an array with a subtree below it containing fields for the members of the array, might be an FT_NONE field."

So if I understood your request correctly you should probably change the dissector code to define the field to something other than FT_NONE.
What field are you trying to filter?

Regards,
Pascal.