Wireshark-dev: Re: [Wireshark-dev] How does wireshark filter packets

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 29 Jan 2013 15:35:45 -0800
On Jan 29, 2013, at 2:10 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

> On Jan 29, 2013, at 1:39 PM, Wenfei Wu <wenfeiwu@xxxxxxxxxxx> wrote:
> 
>>  I want to know how wireshark use the filter expression to filter packets. Does it parse the packet first, and then use the filter expression to check? If so, is there some intermediate data structure to store the filter expression? What is the algorithm?
>>  Is there some materials about this?
> 
> See my reply on the tcpdump-workers mailing list.

Although that applies only to Wireshark *capture* filters.

For *display* filters, yes, Wireshark and TShark parse the packet first, turning it into a tree of named fields and unnamed "text" items.

The filter expression is compiled into a pseudo-machine code.  It is *not* the same as the BPF pseudo-machine code; it's much higher-level, in that it knows about named packet fields, not just the raw array of packet bytes that the BPF pseudo-machine uses.

See the code in the epan/dfilter directory - in particular, see dfvm.h and dfvm.c for the core of the pseudo-machine interpreter.