FYC
I added macros to the display filter engine.
At startup the df_macros in either userdir or (if not found) datadir
will be loaded (if there is one).
The GUI dialog is just a dummy allows you to see.
the format of the file is as follows, I believe they are self explanatory:
-- example df_macros file
Macro_N4me: ip.addr == 1.2.3.4
tcp_ses: ((ip.addr == $1 && ip.addr == $2) && (tcp.port == $3 &&
tcp.port == $4))
server: 10.0.0.3
net10: 10.0.0.0/8
quoted: "$1"
quoted_in_quotes: "\\"$1\\""
nested: (${Macro_N4me} && ($1))
broken1: ${complete:second;
broken2: ;last}
complete: first;$1 $2 $3
--
the results are like these:
filter str: ${tcp_ses:${server\};${net10\};80;12345}
resolved: ((ip.addr == 10.0.0.3 && ip.addr == 10.0.0.0/8) && (tcp.port
== 80 && tcp.port == 12345))
filter_str: text contains ${quoted:# #}
resolved: text contains "# #"
filter_str: ${nested:udp.port==161}
resolved: (ip.addr == 1.2.3.4 && (udp.port==161))
filter_str: ${broken1};third${broken2}
not too resolved: ${complete:second;third;last}
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan