Display Filters

[David Morsberger <dave () morsberger com>]

I need some help and advice on display filters because I’m new to the codebase. I’m trying to add the capability where 
a ‘http contains blah’ filter searches uncompressed HTTP content. I’m adding because we use ‘Frame contains’ and ‘http 
contains’ in our workflow to find items of interest in the traffic. There are items in the compressed data that we 
would like to find using the contains operator. 

I see how the ‘http contains’ filter works and how HTTP decompression works however I cannot figure out how to add the 
decompressed data to the link list used for display filtering. 

I believe it will work if the decompressed buffer was added to the list_a link list in dfvm.c. The list_a link list 
only has the raw HTTP packet data and the next pointer is NULL when protocol ID is http. It would seem to work if the 
uncompressed data pointer was added to the end of the list_a link list in the read_tree method. 

Thoughts/guidance?

static gboolean
any_test(dfilter_t *df, FvalueCmpFunc cmp, int reg1, int reg2)
{
        GList   *list_a, *list_b;

        list_a = df->registers[reg1];

        while (list_a) {
                list_b = df->registers[reg2];
                while (list_b) {
                        if (cmp((fvalue_t *)list_a->data, (fvalue_t *)list_b->data)) {
                                return TRUE;
                        }
                        list_b = g_list_next(list_b);
                }
                list_a = g_list_next(list_a);
        }
        return FALSE;
}

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe