[pcap-ng-format] Request: IDB:if_filter: add support for the "Wireshark Display Filter"
Jose Pedro Oliveira
jpo at di.uminho.pt
Fri Jun 29 11:06:14 PDT 2012
On 2012-06-29 17:22, Jasper Bongertz wrote:
> Hello Jose,
>
> thanks for your suggestion.
>
>> Summary:
>> Register a new filter type for the Wireshark's Display filter [1].
>
>> More info:
>> This would allow to store the display filter in contexts where
>> they are used as (offline) capture filters.
>
>> The content of the display filter would be a string (similar
>> to the libpcap filter contents).
>
> I get the idea, but I'm not sure that the IDB is a good place to keep
> the filter setting. The IDB is used to store details about the capture
> interface, and in my opinion a display filter has no relation to an
> interface. Especially if you have multiple interfaces in a trace and
> you read it with a display filter working as a "read filter" it would
> apply to all interfaces I think.
I believe you are right, the display filter will be matched against all
packets contained in the section independently of its interface.
> Maybe a filter like this could be stored in a more global part of the
> file structure, but I'm not sure the SHB is a good place either. It
> could be stored as a comment though.
I also believe the SHB wouldn't be a good place to store it.
A couple of months ago there was a suggestion about keeping the history
of the applied filters in a special grow only block. This would be
perfect to keep record of all operations done since the live capture
(possible record: date + tool_cmdline + capture_filter(s)/display_filter
applied):
Example:
dumpcap ... -f <capture filter> -w first.pcapng
tshark ... -R <display filter> -r first.pcapng -w second.pcapng
tshark ... -R <display filter2> -r second.pcapng -w third.pcapng
...
Note: The ISB blocks creation/update should also need to be better
specified.
jpo
--
José Pedro Oliveira
* mailto:jpo at di.uminho.pt *
More information about the pcap-ng-format
mailing list