Wireshark-dev: Re: [Wireshark-dev] Highlight fields
From: Jeff Morriss <[email protected]>
Date: Tue, 23 Feb 2016 15:11:06 -0500
Hmm, this might be easier than described below.  It turns out there's already some similar functionality when doing a "Find packet" when searching for a string or hex value.  See:

https://code.wireshark.org/review/#/c/14086/

as well as the bug that links to and the original change that added the functionality in the Gtk interface.

(A first--and useful--step would be to highlight the tree item when searching with a display filter.  Or maybe that's the whole solution?)

On Fri, Feb 12, 2016 at 10:34 AM, Jeff Morriss <[email protected]> wrote:
I think you can discover this via hfinfo->ref_type .

On Fri, Feb 12, 2016 at 9:25 AM, Juan Jose Martin Carrascosa <[email protected]> wrote:
That idea sounds awesome and enough for me.

Can you tell me how to detect if a proto_item is passing a filter?

Thanks,
Juanjo

On Fri, Feb 12, 2016 at 3:22 PM, Jeff Morriss <[email protected]> wrote:
I'm not sure this would require changes to the dissectors.

I would /think/ that this could be done similar to how the Expert Info system highlights the (tree) path down to the item to which the expert info is attached.  That is, it could be done in the proto_tree_add*() calls by, for example:
  1. Checking if the field being added was part of the display filter
  2. If so then highlighting the path back to the root of the tree (like the expert info calls do)

I don't know, however, how you could visually distinguish expert info's from the "here is(are) your field(s)" highlights.

On Wed, Feb 10, 2016 at 7:48 AM, Juan Jose Martin Carrascosa <[email protected]> wrote:
Do you know which would be the approach? I am willing to implement it. Any idea is very much appreciated!

Thanks,
Juanjo

On Wed, Feb 10, 2016 at 1:45 PM, Roland Knall <[email protected]> wrote:
Hi

No, currently there is no direct way to do this. And any new way would require a change to the dissectors handling the messages

regards

On Wed, Feb 10, 2016 at 11:44 AM, Juan Jose Martin Carrascosa <[email protected]> wrote:
Hi all,

Let's say I have several submessages in a packet (RTPS). When I filter, one of them matches so the whole RTPS (UDP datagram) matches and thus, it is shown in the display. However, if the amount of submessages is large (200?), it is quite tedious to find the matching submessage.

Is there any way in Wireshark (GUI or changing source code) to solve my issue? Highlighting the field that makes something match a filter or something like that.

Thanks!
Juanjo Martin