Wireshark-bugs: [Wireshark-bugs] [Bug 6718] Wiretap API needs to handle pcap-NG ISB blocks
Date: Mon, 5 Mar 2012 11:56:52 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6718

--- Comment #9 from Anders Broman <anders.broman@xxxxxxxxxxxx> 2012-03-05 11:56:52 PST ---
(In reply to comment #8)
> (In reply to comment #7)
> > (In reply to comment #6)
> > > (In reply to comment #5)
> > > > Status update as of rev41328:
> > > > 
> > > > Steps:
> > > >  1) cd ~/sandbox/wireshark-1.7.1-SVN-41328
> > > >  2) ./dumpcap -i p132p1 -f tcp -i lo -i p3p1 -f udp -c 1 -w rev41328.pcapng
> > > >  3) ./tshark -r rev41328.pcapng -w n.pcapng
> > > >     or
> > > >     ./editcap -T ether rev41328.pcapng n.pcapng
> > > > 
> > > > Result (n.pcapng)
> ...
> > > >  * the IDB if_filter option is being dropped
> ...
> > if_filter should survive reading and writing by dumpcap/wireshark as of 41352
> > note that if_filter is not a string "..The first byte of the Option Data keeps
> > a code of the filter used..." dumpcap/wireshark treated it as a string the ntar
> > library might as well...
> 
> Anders,
> 
> Thanks for the update. 
> 
> Still regarding the if_filter option: should we allow this option to be
> repeated?  I'm asking this because I think it should be a good idea to also
> store the wireshark's display filters.
> 
>   tshark -R "<display filter here>" -r in.pcapng -w out.pcapng
> 
> Would it make sense to allow n display filters (keep the ones in the source
> file add add the new one to the output file) ?
> 
>   tshark -R "<second display filter here>" -r out.pcapng -w out2.pcapng
> 
> Note: The display filter needs to be registered ( 0 = lipbpcap filter string, 1
> = libpcap byte code, 2 = wireshark display filter string ? )
> 
> /jpo

There is a thread just started on this subject on the developers mailing list.
I would propose a new option "shb_ws_display_filter" Wireshark display filter
string. Can occure multiple times.

One could the build a GUI item with a list of the filters, which can be
selected and applied. Possibly there should also be
"shb_ws_display_filter_comment" coupled to the display filter where one could
describe the filter.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.