Wireshark-dev: Re: [Wireshark-dev] colorizing sFlow

From: Andrew Feren <acferen@xxxxxxxxx>
Date: Wed, 17 Oct 2007 09:40:29 -0700 (PDT)
--- "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx> wrote:

> If you just want to clean up the colorization, why can't you simply add a
> new coloring rule for sFlow above any of the others?  The first filter that
> matches is the coloring rule that is applied.

This would clean up the colorization.  In fact this was essentially what I
proposed initially.  However, after reading responses on this list I realized
that a short circuit colorization rule only masks the issue.  It also reduces
(eliminates) the usefulness of colorization relative to sFlow since any
details (which could have been colorized) will also be masked by the short
circuit rule.

> And to avoid a display filter match of "ip.src == 10.1.1.1" when sFlow
> traffic is present, can't you just use this filter instead, "!sFlow &&
> ip.src == 10.1.1.1", wouldn't it?

This is really just a variation of the above.  Instead of just adding one
short circuit rule you could add "!sFlow && " to the front of all the color
rules.

So this also works, except that...
a) I'm lazy and don't want to remember to add "!sflow" to *every* filter 
   I write.  ;-)
b) If my filter could apply to sFlow and non sFlow packets this will mask
   the match just as with colorization.  

> These suggestions won't help your other issues, but they should solve your
> coloring and display filter problems, shouldn't they?

Yes, with the above caveats.

Thanks,
-Andrew

-Andrew Feren
 acferen@xxxxxxxxx