I have a protocol that has an encrypted string as one of its fields.
A Lua based dissector (for example) shows this using the following
code snippet:
xx_proto.fields.msg = ProtoField.string("xx.msg", "Msg", base.ASCII)
local decoded = decrypt(buf, start)
subtree:add(xx_proto.fields.msg, buf(start, len), decoded:raw())
The decoder converts the encrypted data into ASCII.
I'd love to be able to search on the decrypted contents using a display filter,
but I presume it searches buf(start, len) rather than the decrypted data/value
that's placed into the tree.
Can it be done?
What would I need to do?
TIA
Fulko
