John McDermott wrote:
|Given a value V, i want to filter out all messages where the
|parameter A == V.
|That is quite easy.
|
|But I also want to filter out all messages where the parameter
|B is equal
|to any of the B-parameters found in the messages filtered out
|by the filter A == x.
So you want to do:
1. set_1 = { all packets for which A == V )
2. set_2 = { all distinct B values from set_1 }
|Is it possible to adapt the ethereal code to implement such a
|filtering mechanism?
Mmh... I see one possibility, which implies a considerable rewrite of the
display filter language, or the addition of a new filter/expression
language
that does not necessarily yield matching packets. Maybe we can provide a
SQLish language for this purpose? Additionally, we'll need an output
"console" as the result will not necessarily be a packet list.
It seems to me that the issue is "state". I do not know of any ethereal
filters that can be based on the values of previous packets, per se. In
fact, I think the filtering is totally stateless.
You can make it stateful by making a dissector or a tap saving the
necessary information e.g. in a permanent available memory chunk. You
can then later use the information.
There are some dissectors providing a service response time for specific
protocols. This is done statefully. You can even set a display filter
for a service response time.
Regards,
Lars
