Wireshark-dev: Re: [Wireshark-dev] Regarding display filter- how to redesign code to incorporat

From: Ateeth Kumar Thirukkovulur <athirukkovulur@xxxxxx>
Date: Sun, 20 Apr 2014 19:40:41 -0500
Yes thats what I was looking for. Thank you.

Well I am interested in using newly created expressions to filter packets that are related. Indirectly what i want is end to end host filtering(not based on protocols). 

Also

For eg,
Suppose there is an ARP reply from a given host address. I also want wireshark to display the ARP request of that host only....So what I am saying is that wireshark should display only ARP reply and the ARP request of the particular host. It shouldnt display the previous ARP packets from that host. Maybe like the last 2 packets - ARP reply and ARP request so that those 2 packets can be monitored in detail.




Ateeth Kumar Thirukkovulur
Research Assistant
College of Technology
UH ID:1267190




On Sat, Apr 19, 2014 at 2:12 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Apr 19, 2014, at 11:58 AM, Ateeth Kumar Thirukkovulur <athirukkovulur@xxxxxx> wrote:

> Not exactly.
>
> Suppose I want to include a NOT operator in the display filter. Say "! tcp". Which code must I change? I know it already exists. Where do I include the symbols n expressions for newly added terms.
>
> Do you get what I am saying?

No, not really.

If you mean "how do I support new operators in packet-matching expressions", you'd:

        change epan/dfilter/scanner.l to add the new operator as a lexical-analyzer token;

        change epan/dfilter/grammar.lemon to handle that token as part of the grammar, translating them into new "instructions" in the "display filter virtual machine";

        change epan/dfilter/dfvm.c to support those new "instructions".

If you mean "how do I support some particular *type* of new operators", you'd need to tell us what those new operators are and what semantics they have, so we can indicate what *particular* changes would be needed to those files.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe