Hi,
When your dissector sees packet A for the first time it should create a
conversation with private data carrying req_tunnel_id, req_idx and later add the
reply_tunnel_id when dissecting packet B.
That would allow you to add a req_id to all related packets, offering a field to
filter on.
For conversations see doc/README.developer in the source tree.
Thanks,
Jaap
On 06/05/2010 06:55 PM, Rohit Mediratta wrote:
The relation between packets is as follows.
1. Packet A is a request to setup a session. This packet has a unique
"request tunnel Identifier" and a "requestIndex".
2. Packet B is a reply, this packet is tunneled with the "request tunnel
Identifier" and contains a "reply tunnel Identifier"
3. Packet C is subsequent request packet which is tunneled with "reply
tunnel Identifier"
4. Packet D is a subsequent reply packet which is tunneled with "request
tunnel Identifier".
NOTE: "tunnel Identifier" are unique in a single direction only, so
there is no algorithmic correlation between the "request tunnel
Identifier" and "reply tunnel Identifier".
I am looking to generate a view for all packets which are related to the
"requestIndex".
I am open to the idea of editing the dissectors to achieve this.
Any ideas/pointers would be very useful.
thanks,
Rohit
> Date: Sat, 5 Jun 2010 12:25:55 +0200
> From: jaap.keuter@xxxxxxxxx
> To: wireshark-dev@xxxxxxxxxxxxx
> Subject: Re: [Wireshark-dev] Generation of display filter based on a
field in the pcap
>
> On 06/05/2010 11:37 AM, Rohit Mediratta wrote:
> > Hi,
> > I am trying to generate a display filter which is based on the the
value
> > of a TLV within the pcap.
> > Let me provide an example of a display filter I am trying to
generate in
> > the pcap that I have.
> >
> > 1. Packet A has a TLV with value1 and another TLV with value2.
> > 2. Packet B has a TLV with value2 and a TLV with value3.
> > 3. Packet C has a TLV with value3.
> > 4. Packet D has a TLV with value2.
> >
> > I'd like my display filter to be
> > "special_display_filter == value1"
> > When I apply this filter, I'd like all 4 packets to be displayed.
> >
> > This is, ofcourse, my view of how I can achieve this. If there is
> > another methodology to achieve my aim of displaying all packets related
> > to Packet A, then please enlighten me.
> >
> >
> > My final goal is to update the flow_graph to view all 4 packets, when I
> > select "packet flow for any packets related to Packet A". If
someone can
> > provide any pointers/hints that would be useful.
> >
> > thanks in advance,
> > Rohit
> >
>
> Hi,
>
> What's the relation between packet A, B, C and D? How do you identify
this
> relation from the packets? Your display filter now will only match
packet A.
>
> Thanks,
> Jaap
>