First let me state that the fact that ethereal could colorize packets was
highly praised at DefCon 2000.
> Jeff Foster wrote:
> >
> > I understand that the color filters in general need to have the UI
> > improved.
>
> I wrote them and I agree wholeheartedly. The UI was just an easy way to
> get things started.
>
> > But I think that popping the standard color dialog in the
> > packet list right click 'Colorize Display' option is wrong. I expect
> > a simpler dialog that will colorize the top level protocol for that
> > packet. For example if the packet selected is SMB, the filter dialog
>
> > I disagree here, though. You may want to colorize top level protocols,
> > but for me that is fairly uncommon: I wan to colorize layer 3/4 stuff
> > when I'm teaching (green arp, red tcp, blue udp, etc) or specific
> > traffic (orange DNS responses from 10.4.0.2) when I'm debugging.
> >
> > would already have a filter name, for example the top protocol name,
> > the filter text would be set to the top level protocol, and the user
> > would just enter the foreground and background color information.
> I like the idea and it would be simple to use, but I don't think "top
> level protocol" is necessarily the right thing to put in there as the
> filter or name. I thought of making a name out of the protocols, but
> when I entered complex filters, generating the names was difficult.
Not to pick nits, but in my mind arp is a top level protocol. I don't
mean the top of the protocol stack when I say 'top level protocol', I'm
refering to the highest protocol on the stack that ethereal decoded for
the packet. This is just short cut is a quick and dirty "I want to
highlite protocol - XXX".
> Maybe we need some way to select the important features of a packet.
> One option might be to use a method similar to Match Selected, but
> allowing selection of multiple fields (or can we do that and I just
> can't figure out how?). That puts a filter in the display filter dialog
> which could instead be put into the colorization filter dialog with
> either a bogus name or no name. If no field is selected (as is the case
> now), no filter would be entered in colorize's filter dialog and the
> user could supply one. This would allow both the current behavior and
> your desired behavior.
> I'm just back from out of the country so I don't have time to make the
> change now, but it could be made in two phases:
>
> 1) put the current selected packet field (if any) into the colorize
> dialog for the filter
I like this idea.
> 2) (if necessary) extend the field selection to multiple fields
Sounds hard. Something that extends beyond just colorize packets to
complex filtering of packets based upon multiple fields and multi-selects
in GTK.
My main point is that if I really want a complex filter go the the Edit->
Filters menu to do it. The right click short cut is a short cut to a
simpler filter that doesn't require the user to understand the details
of writing a filter. Please no flames about (L)users.
Jeff Foster
jfoste@xxxxxxxxxxxx