Wireshark · Ethereal-dev: Re: [ethereal-dev] DIsplay of flags in packet pane

Ethereal-dev: Re: [ethereal-dev] DIsplay of flags in packet pane

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Gilbert Ramirez <gram@xxxxxxxxxx>

Date: Tue, 11 Apr 2000 17:29:49 -0500

On Tue, Apr 11, 2000 at 04:52:57PM -0500, Ben Fowler wrote:
> 
> 
> I have followed the discussion about a possible bug/feature in
> the display in ethereal 0.8.6/0.8.7 with considerable interest,
> but I still feel that there is a case for looking at how flags are
> displayed in greater depth.
> 
> At present, it seems that ethereal regards each and every flag
> as a single stand alone boolean which is on or off (having appropriate
> labels in a TRUE/FALSE structure) and displayed left justified.

Correct. This was to make it easy to filter on an individual flag
value. For example, "tcp.flags.ack" or "tcp.flags.urg"
 
> This is despite the fact that throughout the code we have comments
> in the form 'FLAGS field' recognising that flags come in bunches,
> and programmers are quite used to hardware concepts such as a
> FLAGS Word, Half-Word or Byte.
> 
> For my part, I would like flags to be displayed concisely in their
> location within a flags field, videlicet:
> 
>        Header Flags
>        c... .GTr
>        .000 1... = PDU Type: Invoke
>        .... .11. = Trailer flags: Packet re-assembly not supported
> 
> in which
>        bit 0 is a flag C = Continuation present, c = continuation absent
>        bits 1-4 are a bit field holding the type of the packet
>        bit 5 is the Group Trailer [G/g] flag
>        bit 6 is the Transmission Trailer [T/t] flag
>        bit 7 is the Re-transmission indicator [R/r]
> 
> Note that bits 5 and 6 have a special meaning when both are set, that
> the implementation does not support packet fragmentation/re-assembly
> at all, and these bits are available for interpretation as bit field.
> 
> If I were to submit a patch implementing a type FT_FLAGS_BYTE, would
> this be accepted. It would be in competition with the existing FT_BOOLEAN
> type but would not supplant it.

(if it works and is useful, sure!)

How would one filter on an individual flag within an FT_FLAGS_BYTE value?
Would the display filter rely on the bit operations that will be available
in a future display filter syntax? Like:

	tcp.flags & 0x08 == 1

instead of:

	tcp.flags.push

Or would the adding an FT_FLAGS_BYTE value also automatically add all
the children FT_BOOLEAN or FT_UINT* values as well?

--gilbert

Follow-Ups:
- Re: [ethereal-dev] DIsplay of flags in packet pane
  - From: Ben Fowler

Prev by Date: Re: [ethereal-dev] DIsplay of flags in packet pane
Next by Date: [ethereal-dev] Targets dependent on proto.h
Previous by thread: Re: [ethereal-dev] DIsplay of flags in packet pane
Next by thread: Re: [ethereal-dev] DIsplay of flags in packet pane
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$