[pcap-ng-format] Request: IDB:if_filter: add support for the "Wireshark Display Filter"
Jose Pedro Oliveira
jpo at di.uminho.pt
Fri Jun 29 11:05:10 PDT 2012
On 2012-06-29 17:17, Richard Sharpe wrote:
> On Fri, Jun 29, 2012 at 6:07 AM, Jose Pedro Oliveira <jpo at di.uminho.pt> wrote:
>> This is a request for adding a new filter type - "Wireshark Display
>> Filter"  - to the IDB:if_filter option.
>> if_filter (option 11)
>> Register a new filter type for the Wireshark's Display filter .
>> More info:
>> This would allow to store the display filter in contexts where
>> they are used as (offline) capture filters.
>> The content of the display filter would be a string (similar
>> to the libpcap filter contents).
>> * tshark offline filtering operation using the Wiretap API:
>> tshark -R <display filter> -r in.pcapng -w out.pcapng
> Hi Jose,
> Thank you for your suggestion.
> What are the advantages of this?
Using wireshark display filters you will be able to exploit all
dissectors available in wireshark. At the moment Wireshark 1.8 supports
more than 1300 protocols representing more than 110
thousand searchable fields:
$ tshark -v
TShark 1.8.0 (SVN Rev Unknown from unknown)
$ tshark -G protocols | wc -l
$ tshark -G fields | grep ^F | wc -l
> ... Surely the filter can be stored as a
> comment in the pcap-ng section header? (That is not to say that the
> idea is not worth considering, just that it might need a good
More considerations in the next mail.
> In addition, moving forward, I don't think we are going to accept
> requests for new fields, blocks, options, etc, unless they are
> accompanied by patches to the reference implementation.
Are we talking about the ntar library? Is there any project public
repository? Last december I exchanged a couple of messages with Gianluca
Varenni and he told me he was considering creating a SVN repository for
it but (but at least until February he hadn't done so).
José Pedro Oliveira
* mailto:jpo at di.uminho.pt *
More information about the pcap-ng-format