Committed revision 21746.
>Is there a way to filter on a computed value without adding a field for the
>computed value? This isn't something I've ever needed to do with Wireshark
>before.
To be able to use the "normal" filters it need to be added with proto..()
It does not have to be visible in the three though it can be added with
proto_..hidden() but this use is discouraged as no one will find the filter
:)
You can also mark an item as generated by using PROTO_ITEM_SET_GENERATED()
>Are there any dissectors that allow a list of ports to be specified in the
>prefs. that I could use a model for the netflow prefs.?
See packet-tcap.c for the range field.
Regards
Anders
-----Ursprungligt meddelande-----
Från: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] För Andrew Feren
Skickat: den 10 maj 2007 23:53
Till: wireshark-dev@xxxxxxxxxxxxx
Ämne: [Wireshark-dev] netflow patch and questions
This patch collapses start and end time for each flow to a single duration
item. The duration item can, of course, be expanded to display the start
and
end time.
This started because I needed to write a filter like the following:
(cflow.timeend - cflow.timestart) > 1800
Is there a way to filter on a computed value without adding a field for the
computed value? This isn't something I've ever needed to do with Wireshark
before.
While I was creating this patch I thought of something else I'd like to fix.
It would be nice if the netflow dissector could be configured to dissect
packets sent on a list of ports. Currently the cflow (aka netflow) prefs.
allow one port # to be changed. The netflow dissector also defines an IPFIX
port that can't be changed from prefs.
Are there any dissectors that allow a list of ports to be specified in the
prefs. that I could use a model for the netflow prefs.?
I poked aroud a little, but didn't see anything obvious.
-Andrew
-Andrew Feren
acferen@xxxxxxxxx