An option to allow a user to specify that a column with a given title be
displayed with a given field value, so that if one wasn't specified (and
no filtering or coloring was done) no protocol tree would be constructed,
would work (there's already a mechanism, in the code to construct the
protocol tree, to handle specially fields marked as "interesting", so
there should be no extra cost to constructing the protocol tree if no
field was being displayed).
With a mechanism to allow specification of the columns in the Tethereal
command line, that might be an alternative to -zproto,colinfo as well.
Frequently-specified values should probably be given their own column
type, so that you don't have to pay the penalty of constructing a protocol
tree to display the field in question.
I don't quite understand what you're describing there.. could you
describe an how this would look/feel if implemented ?
At the moment, the column code already has to look at the protocol ID to
determine what (if any) layer 3 addresses the packet contains, so to
test for and display any present vlan ID would seem to be much the same
logic that is already there to test for layer 3 addresses.
I agree though that if I was after something much further into the
packet, a protocol tree would need to be constructed.
Perhaps this could be solved by bypassing the protocol tree build
entirely, and defining a column as the result of a filter condition,
size, offset, and bitwise mask... perhaps even a list of supported
output formats (integer, longint, short, stringz, unixtime, etc etc)
could be added
For example.. the dot1q tag would be
Condition (Filter): frame[12:2] == 81:00
Size: 16 (unnecessary, since this is also indicated by the length of the
mask below, but makes it possible to default the mask to the correct
length for the user)
Offset: 14
Mask 0000111111111111
You wouldn't need to build a protocol tree at all if the filter is
restricted to using frame[] only... it could be written so that if the
user enters "eth.type == 0x8100", it would be interpreted once, and
converted to frame[12:2] == 81:00
In effect, this creates a programmable column.
it would break down if you were limited to a single condition, and you
wanted to display say IMAP commands.. because that would be conditional
on the packet containing the right values in several places.. and you
can't necesarily always convert a symbol to an exact offset can you..
because of things just like this - the dot1q tag shifting things along.
I'm rambling now... I'll go away and think about this some more.
Thanks for your thoughts.