Wireshark · Wireshark-users: Re: [Wireshark-users] Betr: custom columns?

["Marlon Duksa" <mduksa@xxxxxxxxx>]

Luis - how would this work in this packet:

No.     Time        Source                Destination           mpls1
  15256 30.489742   11.0.0.4              5.5.5.5               800012

Frame 15256 (120 bytes on wire, 120 bytes captured)
Ethernet II, Src: TimetraN_0d:45:6c (00:03:fa:0d:45:6c), Dst: LinksysG_80:7e:ba (00:04:5a:80:7e:ba)
Internet Protocol, Src: 100.100.100.100 (100.100.100.100), Dst: 7.7.7.7 (7.7.7.7)
Generic Routing Encapsulation (MPLS label switched packet)
MultiProtocol Label Switching Header, Label: 2051, Exp: 0, S: 1, TTL: 255
Ethernet II, Src: JuniperN_9b:85:fe (00:12:1e:9b:85:fe), Dst: JuniperN_9b:89:f9 (00:12:1e:9b:89:f9)
MultiProtocol Label Switching Header, Label: 800012, Exp: 0, S: 1, TTL: 255
Ethernet II, Src: Xerox_00:00:03 (00:00:07:00:00:03), Dst: Xerox_00:00:03 (00:00:03:00:00:03)
Internet Protocol, Src: 11.0.0.4 (11.0.0.4), Dst: 5.5.5.5 (5.5.5.5)
Data (26 bytes)


Let say I want custom columns for the three fields in red.
Thanks,
kris

On Tue, Aug 12, 2008 at 2:14 PM, Luis EG Ontanon <luis@xxxxxxxxxxx> wrote:

I been thinking for long time to implement the "/" (over) operator:

"y/x" meaning "y when preceded by x i the frame".

E.G:

Take a frame made of ETH|IP|UDP|TunProt|IP|ICMP|UDP

"ip/tunprot" would read "ip over tunprot" and would be equivalent to
"ip" if only the last ip header was there so that "ip.src/tunprot"
would be just that one "ip.src" not any of those in the tree.

"udp.port/icmp" (or "udp.port/tunprot") is that of the udp header
after icmp (and tunprot), not the one before.

"udp.port/ip" would be redundant (i.e. as it works now).


Any comments?

On Tue, Aug 12, 2008 at 8:34 PM, Marlon Duksa <mduksa@xxxxxxxxx> wrote:
> ok Thanks.
> Just a suggestion if the development community reads this at all.
> It would be very useful (at least to me), to have this functionality in the
> form of the filter where you can specify the instance as well:
>
> For example:
> header.filed.inst   or
> eth.src.x - where 'x' would be the instance number of the ethernet header in
> the frame.
> Thanks again.
> Marlon
>
> On Tue, Aug 12, 2008 at 11:04 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>>
>> On Aug 12, 2008, at 9:46 AM, Marlon Duksa wrote:
>>
>> > Hi Joan - this is good and it solves my problem partially. It looks
>> > like that if I do it this way, and if I have repeating headers in my
>> > frames, that the filter will always pick up the last one (the
>> > deepest header in the frame). Do you know if I can specify which
>> > header I want to filter on?
>>
>> No, you can't, unfortunately.
>> _______________________________________________
>> Wireshark-users mailing list
>> Wireshark-users@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>

--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users