On Sat, May 29, 1999 at 09:52:56PM -0500, Guy Harris wrote:
>
> One possibility might be the Network Monitor-ish scheme I've mentioned,
> where *all* the decoding is done, purely sequentially, when the capture
> is read in, with a list of "property instances" being attached to the
> frame for all of the fields in the frame, and with the detailed display
> being constructed from the list of "property instances" for a frame when
> the frame is clicked on.
I am currently working on an initial implementation of this. For now,
I'm only decoding the frame into a list of properties when the user
clicks on the frame. However, it could be modified to decode all packets
sequentially.
>
> 2) the ability to have a display filter that can select "all NFS
> requests with a file handle of XXX" or "all SMB OPEN requests
> with a pathname of YYY" (although that could also be done by
> having the dissection code capable of being asked to check,
> for fields it decodes, for specific values, and have "search
> for a packet that match this filter" or "show me only packets
> that match this filer" operations run sequentially through
> the file dissecting each frame with the "check for a match"
> option).
This is why I'm doing the implementation. I figured it would be much
easier to write powerful display filters in ethereal, since all the
decoding logic is there, instead of using BPF filters in wiretap.
--gilbert
