Wireshark-users: Re: [Wireshark-users] Betr: custom columns?

From: "Luis EG Ontanon" <luis@xxxxxxxxxxx>
Date: Tue, 12 Aug 2008 23:14:42 +0200
I been thinking for long time to implement the "/" (over) operator:

"y/x" meaning "y when preceded by x i the frame".

E.G:

Take a frame made of ETH|IP|UDP|TunProt|IP|ICMP|UDP

"ip/tunprot" would read "ip over tunprot" and would be equivalent to
"ip" if only the last ip header was there so that "ip.src/tunprot"
would be just that one "ip.src" not any of those in the tree.

"udp.port/icmp" (or "udp.port/tunprot") is that of the udp header
after icmp (and tunprot), not the one before.

"udp.port/ip" would be redundant (i.e. as it works now).


Any comments?


On Tue, Aug 12, 2008 at 8:34 PM, Marlon Duksa <mduksa@xxxxxxxxx> wrote:
> ok Thanks.
> Just a suggestion if the development community reads this at all.
> It would be very useful (at least to me), to have this functionality in the
> form of the filter where you can specify the instance as well:
>
> For example:
> header.filed.inst   or
> eth.src.x - where 'x' would be the instance number of the ethernet header in
> the frame.
> Thanks again.
> Marlon
>
> On Tue, Aug 12, 2008 at 11:04 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>>
>> On Aug 12, 2008, at 9:46 AM, Marlon Duksa wrote:
>>
>> > Hi Joan - this is good and it solves my problem partially. It looks
>> > like that if I do it this way, and if I have repeating headers in my
>> > frames, that the filter will always pick up the last one (the
>> > deepest header in the frame). Do you know if I can specify which
>> > header I want to filter on?
>>
>> No, you can't, unfortunately.
>> _______________________________________________
>> Wireshark-users mailing list
>> Wireshark-users@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>



-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan