[pcap-ng-format] Request: IDB:if_filter: add support for the "Wireshark Display Filter"
Richard Sharpe
realrichardsharpe at gmail.com
Fri Jun 29 09:17:07 PDT 2012
On Fri, Jun 29, 2012 at 6:07 AM, Jose Pedro Oliveira <jpo at di.uminho.pt> wrote:
> Hi,
>
> This is a request for adding a new filter type - "Wireshark Display
> Filter" [1] - to the IDB:if_filter option.
>
> ----------
>
> Block:
> IDB
>
> Option:
> if_filter (option 11)
>
> Summary:
> Register a new filter type for the Wireshark's Display filter [1].
>
> More info:
> This would allow to store the display filter in contexts where
> they are used as (offline) capture filters.
>
> The content of the display filter would be a string (similar
> to the libpcap filter contents).
>
> Example:
>
> * tshark offline filtering operation using the Wiretap API:
>
> tshark -R <display filter> -r in.pcapng -w out.pcapng
>
Hi Jose,
Thank you for your suggestion.
What are the advantages of this? Surely the filter can be stored as a
comment in the pcap-ng section header? (That is not to say that the
idea is not worth considering, just that it might need a good
justification.)
In addition, moving forward, I don't think we are going to accept
requests for new fields, blocks, options, etc, unless they are
accompanied by patches to the reference implementation.
If you feel seriously enough about a change, then you should be
prepared to provide code to deal with that change.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the pcap-ng-format
mailing list