Wireshark mailing list archives

Re: Regarding display filter- how to redesign code to incorporate expressions other than protocols?

From: Ateeth Kumar Thirukkovulur <athirukkovulur () uh edu>
Date: Sun, 20 Apr 2014 19:40:41 -0500

Yes thats what I was looking for. Thank you.

Well I am interested in using newly created expressions to filter packets
that are related. Indirectly what i want is end to end host filtering(not
based on protocols).

Also

For eg,
Suppose there is an ARP reply from a given host address. I also want
wireshark to display the ARP request of that host only....So what I am
saying is that wireshark should display only ARP reply and the ARP request
of the particular host. It shouldnt display the previous ARP packets from
that host. Maybe like the last 2 packets - ARP reply and ARP request so
that those 2 packets can be monitored in detail.




*Ateeth Kumar Thirukkovulur*
*Research Assistant*
*College of Technology*
*UH ID:1267190*




On Sat, Apr 19, 2014 at 2:12 PM, Guy Harris <guy () alum mit edu> wrote:


On Apr 19, 2014, at 11:58 AM, Ateeth Kumar Thirukkovulur <
athirukkovulur () uh edu> wrote:

Not exactly.

Suppose I want to include a NOT operator in the display filter. Say "!

tcp". Which code must I change? I know it already exists. Where do I
include the symbols n expressions for newly added terms.


Do you get what I am saying?


No, not really.

If you mean "how do I support new operators in packet-matching
expressions", you'd:

        change epan/dfilter/scanner.l to add the new operator as a
lexical-analyzer token;

        change epan/dfilter/grammar.lemon to handle that token as part of
the grammar, translating them into new "instructions" in the "display
filter virtual machine";

        change epan/dfilter/dfvm.c to support those new "instructions".

If you mean "how do I support some particular *type* of new operators",
you'd need to tell us what those new operators are and what semantics they
have, so we can indicate what *particular* changes would be needed to those
files.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Regarding display filter- how to redesign code to incorporate expressions other than protocols? Ateeth Kumar Thirukkovulur (Apr 18)
- Re: Regarding display filter- how to redesign code to incorporate expressions other than protocols? Guy Harris (Apr 18)
  - Re: Regarding display filter- how to redesign code to incorporate expressions other than protocols? Ateeth Kumar Thirukkovulur (Apr 19)
    - Re: Regarding display filter- how to redesign code to incorporate expressions other than protocols? Guy Harris (Apr 19)
    - Re: Regarding display filter- how to redesign code to incorporate expressions other than protocols? Ateeth Kumar Thirukkovulur (Apr 20)