Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Remove duplication for resolved addresses

From: João Valverde <joao.valverde@xxxxxxxxxxxxxxxxxx>
Date: Fri, 11 Sep 2015 16:12:08 +0100


On 09/11/2015 04:01 PM, Jo�o Valverde wrote:


On 09/10/2015 10:13 PM, Jo�o Valverde wrote:


On 09/10/2015 09:51 PM, Jo�o Valverde wrote:


On 09/10/2015 09:05 PM, Pascal Quantin wrote:
Hi,

2015-09-10 13:50 GMT+02:00 Jo�o Valverde
<joao.valverde@xxxxxxxxxxxxxxxxxx
<mailto:joao.valverde@xxxxxxxxxxxxxxxxxx>>:

    Hi list,

    I proposed a change[1] to remove the duplication for resolved
    addresses (not necessarily using that code) in the UI:

       Src: 192.0.2.1, Dst: 192.0.2.2

    Instead of:

       Src: 192.0.2.1 (192.0.2.1), Dst: 192.0.2.2 (192.0.2.2)

    This change (rightfully) raised concerns that it would break
    backward compatibility for scripts parsing this output. Any
thoughts
    on this?

    Just thinking out loud but maybe 2.0 would be a good opportunity to
    change this (if indeed it is an improvement)?

    If I understand the issue correctly I personally don't think this
    should be a stable interface anyway but of course I'm willing to be
    corrected on that.

    Next step after this would be doing the same for port resolution...

    Regards,

    Jo�o V.

    [1] https://code.wireshark.org/review/#/c/10203/


Just a random thought (as I'm far from being a script expert). In case
only one of the 2 IP address is resolved, would it be harder to parse?
   Src: 192.0.2.1, Dst: localhost (127.0.0.1)
The "advantage" of current code (whether it is relevant or not is an
exercise left to the reader) is that you will always find the IP
address
(or port number) within parenthesis, whatever your preference
configuration. On the other side, it is not really pretty to the eye.

Good point. I would take that format, no problem, but it might be worth
having an exception in that case (would need to investigate the code
feasibility).

I personally don't use address resolution (which is not relevant at all
to the argument).

What I think is relevant is that for long, randomish IPv6 addresses it
really starts to get cumbersome for humans to parse. And takes a lot of
screen real-estate.

Having said that there may be other factors I'm missing, I don't use any
automated output parsing either.

Reflecting on what you said makes me think that a much better way to
implement this than my proposal would be to remove the duplicate
addresses if the preference/settings for address resolution is disabled
(for the GUI at least).

So if I implement this using the GUI preference for name resolution
where does that leave tshark? Unchanged?

Thanks.

Better question, is the API for the GUI preferences the same as for tshark's -N flag? (Guessing not...).



Regards,

JV


Cheers,
Pascal.


___________________________________________________________________________



Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe