[pcap-ng-format] Request: IDB:if_filter: add support for the "Wireshark Display Filter"
Jasper Bongertz
jasper.bongertz at flane.de
Fri Jun 29 09:22:59 PDT 2012
Hello Jose,
thanks for your suggestion.
> Summary:
> Register a new filter type for the Wireshark's Display filter [1].
> More info:
> This would allow to store the display filter in contexts where
> they are used as (offline) capture filters.
> The content of the display filter would be a string (similar
> to the libpcap filter contents).
I get the idea, but I'm not sure that the IDB is a good place to keep
the filter setting. The IDB is used to store details about the capture
interface, and in my opinion a display filter has no relation to an
interface. Especially if you have multiple interfaces in a trace and
you read it with a display filter working as a "read filter" it would
apply to all interfaces I think.
Maybe a filter like this could be stored in a more global part of the
file structure, but I'm not sure the SHB is a good place either. It
could be stored as a comment though.
Cheers,
Jasper
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3747 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.winpcap.org/pipermail/pcap-ng-format/attachments/20120629/048f9654/attachment.bin>
More information about the pcap-ng-format
mailing list