Wireshark · Wireshark-dev: Re: [Wireshark-dev] How is the protocol display filter name determined?

[Michael Lum <michael.lum@xxxxxxxxxxxxxxxxx>]

Thank you very much Michael.

 

That was exactly the issue.

---

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Michael Mann
Sent: March-24-16 5:09 PM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: Re: [Wireshark-dev] How is the protocol display filter name determined?

The protocol display filter works like all filters. It has to be used in a proto_tree_add_xxx call to be used as a filter  What you may be confused by is protocol identifier (proto_fapi) can also be passed like an hf_ field is.

 

Typically the first proto_tree_add_item call in a dissector is for the protocol.  For example

 

ti = proto_tree_add_item(tree, proto_fapi, tvb, 0, -1, ENC_NA)

subtree = proto_item_add_subtree(ti, ett_fapi)

 

with all other tree items called using subtree.  This is why it appears any packet involving the protocol works with the protocol filter.

 

 

 

-----Original Message-----
From: Michael Lum <michael.lum@xxxxxxxxxxxxxxxxx>
To: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx>
Sent: Thu, Mar 24, 2016 6:27 pm
Subject: [Wireshark-dev] How is the protocol display filter name determined?

Hi,

 

I have a custom plugin building with the Wireshark 2.0.2 source on Windows 7, using cmake.

 

For the most part the plugin works correctly.

 

Display filters on particular items appear to work.

 

However, when I try to use just the protocol name to filter I don't get any packets.

But if I clear the display filter the packets are there.

 

The protocol is called FAPI.

 

This is used to register the protocol.

 

    proto_fapi = proto_register_protocol("FAPI", "FAPI", "fapi");

 

The packets come on a particular UDP port.

 

If I start a capture I can see the packets and the PROTOCOL column says FAPI.

 

When I enter "fapi" in the display filter field and hit apply everything disappears.

 

A display filter likes this:

 

fapi.FAPI_subFrameIndication_st.sf

 

works correctly.

 

Any ideas on where I should look?

I've tried rebuilding everything from scratch but end up with the same results.

 

Thank you

 

 

From "About":

===================================================================================

Version 2.0.2-StarSolutions (SVN Rev Unknown from unknown)

 

Copyright 1998-2016 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

 

Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.12.16, with Pango 1.36.8, with
WinPcap (4_1_3), with libz 1.2.8, with GLib 2.42.0, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.2, with GnuTLS 3.2.15, with Gcrypt 1.6.2, with MIT Kerberos,
with GeoIP, with PortAudio V19-devel (built Mar 24 2016), with AirPcap.

 

Running on 64-bit Windows 7 Service Pack 1, build 7601, with locale
English_Canada.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980),
based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15,
with Gcrypt 1.6.2, with AirPcap 4.1.0 build 1622.
Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz (with SSE4.2), with 7926MB of physical
memory.

 

Built using Microsoft Visual C++ 12.0 build 31101

___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe