Wireshark · Wireshark-dev: Re: [Wireshark-dev] [Wireshark-commits] rev 51742: /trunk/epan/dissectors/ /trunk/epan/dissectors/:

Wireshark-dev: Re: [Wireshark-dev] [Wireshark-commits] rev 51742: /trunk/epan/dissectors/ /trun

Date: Wed, 4 Sep 2013 06:54:42 -0400

On 2013-09-04, at 2:01 AM, Joerg Mayer <jmayer@xxxxxxxxx> wrote:

> On Tue, Sep 03, 2013 at 03:30:44PM -0700, Guy Harris wrote:
>> 
>> On Sep 3, 2013, at 2:20 PM, cmaynard@xxxxxxxxxxxxx wrote:
>> 
>>> http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=51742
>>> 
>>> User: cmaynard
>>> Date: 2013/09/03 02:20 PM
>>> 
>>> Log:
>>> Similar to the IPv4 dissector's hf_ip_dst_host, hf_ip_src_host and hf_ip_host fields, add to the Ethernet dissector:
>>> 
>>> hf_eth_dst_resolved
>>> hf_eth_src_resolved
>>> hf_eth_addr_resolved
>> 
>> Would it make sense to allow address types (FT_IPv4, FT_IPv6, FT_ETHER, etc.) to be treated either as strings representing the host name *or* as IP/MAC/etc. addresses, with the context indicating which is used?
> 
> This sounds right - it would remove the generated/hidden fields and a separate
> filter name to remember.
> 
>> E.g.
>> 
>>    ip.src == 127.0.0.1
>> 
>> would test the "IP address" version of the value, whereas
>> 
>>    ip.src contains "local"
>> 
>> would test the "host name" version of the value?
>> 
>>    ip.src == localhost
>> 
>> is perhaps ambiguous (depending on whether you consider localhost a string or not), but I'd handle that one as an address comparison.
>> 
>>    ip.src contains 7f:00
>> 
>> would probably test the "IP address" version (byte string vs. character string).
> 
> To make this unambigous, how about doing namecomparison first if the value is
> in '"', while doing nameresolution first if without '"'?

If I recall correctly the dfilter syntax already supports function notation. How about just adding a resolve(field) function that produces the name for comparison, otherwise it uses the address?

> ciao
>      Jörg
> 
> -- 
> Joerg Mayer                                           <jmayer@xxxxxxxxx>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

Follow-Ups:
- Re: [Wireshark-dev] [Wireshark-commits] rev 51742: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-eth.c packet-ieee80211.c
  - From: Maynard, Chris

References:
- Re: [Wireshark-dev] [Wireshark-commits] rev 51742: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-eth.c packet-ieee80211.c
  - From: Guy Harris
- Re: [Wireshark-dev] [Wireshark-commits] rev 51742: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-eth.c packet-ieee80211.c
  - From: Joerg Mayer

Prev by Date: Re: [Wireshark-dev] [Wireshark-commits] rev 51742: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-eth.c packet-ieee80211.c
Next by Date: Re: [Wireshark-dev] [Wireshark-commits] rev 51742: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-eth.c packet-ieee80211.c
Previous by thread: Re: [Wireshark-dev] [Wireshark-commits] rev 51742: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-eth.c packet-ieee80211.c
Next by thread: Re: [Wireshark-dev] [Wireshark-commits] rev 51742: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-eth.c packet-ieee80211.c
Index(es):
- Date
- Thread