Karl Freter wrote:
>
> I think I'm close here. My original request was to highlight an entire
> line. [Highlighting an individual item within a protocol tree is an
> excellent idea, albeit one I can wait for.] Ideally :-), I would be
> able to signal a common error flag or call a common routine if ANY field
> in any of the protocol stacks had an error. Then I would see that line
> backlit and I could open each protocol layer to see what was in error.
I guess I thought 'line' meant "line in the packet list". If it does
then what you say below seems to be what I suggested and will
"undoubtedly" work.
>
> It sounds like this may or may not be doable (I haven't yet read the
> links that Guy identified). A potential compromise might be something
> like what's done for ICMP bad checksums. There is a hidden, filterable,
> boolean item called "hf_icmp_checksum" that gets set (via a call to
> proto_tree_add_item_hidden()) when a bad checksum is encountered. I
I am not sure if one can filter on a hidden item. I don't have any
broken ICMP implementations around here :-) to test that one with. Also
my box running packet building software has been overwritten with w2k
for the time being so I cannot test it by faking packets either. If you
can filter on that field, though, you can use it in a colorization field
as they use the same filtering scheme as display filters.
> believe that a filter rule can then be added to identify records that
> have this field set. I could add one of these for each item I wanted to
> include in the error list. This means my filter line may have several
> items (ip checksum, tcp checksum, ICMP checksum, etc.) but it will
> identify all the records that have the errors I'm looking for.
I believe that is correct, if the filters can see hidden items (which I
think they can).
--john
--
John McDermott, Writer and Consultant
J-K International, Ltd.
V +1 505/377-6293 F +1 505/377-6313
jjm@xxxxxxxxxx