Re: How does wireshark filter packets

[Guy Harris <guy () alum mit edu>]

On Jan 29, 2013, at 2:10 PM, Guy Harris <guy () alum mit edu> wrote:

> On Jan 29, 2013, at 1:39 PM, Wenfei Wu <wenfeiwu () cs wisc edu> wrote:
>
> >  I want to know how wireshark use the filter expression to filter packets. Does it parse the packet first, and then 
> > use the filter expression to check? If so, is there some intermediate data structure to store the filter expression? 
> > What is the algorithm?
> >  Is there some materials about this?
>
> See my reply on the tcpdump-workers mailing list.

Although that applies only to Wireshark *capture* filters.

For *display* filters, yes, Wireshark and TShark parse the packet first, turning it into a tree of named fields and 
unnamed "text" items.

The filter expression is compiled into a pseudo-machine code.  It is *not* the same as the BPF pseudo-machine code; 
it's much higher-level, in that it knows about named packet fields, not just the raw array of packet bytes that the BPF 
pseudo-machine uses.

See the code in the epan/dfilter directory - in particular, see dfvm.h and dfvm.c for the core of the pseudo-machine 
interpreter.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe