Wireshark-bugs: [Wireshark-bugs] [Bug 7728] Apply as Filter on ieee 802.11 packets gets the filt
Date: Tue, 23 Oct 2012 18:52:36 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7728

--- Comment #14 from Evan Huus <eapache@xxxxxxxxx> 2012-10-23 18:52:35 PDT ---
(In reply to comment #10)
> But! I pointed some places where ->subtype is not used, and I still want some
> confirm, it can be also like: 
>   "Yes it should be, but I haven't got time to check all use of CMP_ADDRESS/...
> and I didn't want to break things"

Ya, there are a lot of different places that will need to be fixed, I just
don't want to do it until we settle on a solution.

(In reply to comment #12)
> As for AT_ETHER_xxx as types:
> 
> AT_ETHER is actually the wrong name - the right name would be AT_MAC48 (or
> AT_MAC_48, along with AT_EUI_64, as both "MAC-48" and "EUI-64" have hyphens in
> the IEEE pages I've seen, but I digress...).
> 
> I.e., AT_ETHER doesn't mean "this is an Ethernet address", it means "this is a
> MAC-48 address", so I don't see Ethernet, Token Ring, FDDI, 802.11, etc.
> needing separate AT_ values.

Interesting, I was going to ask about that.

(In reply to comment #13)
> ...then again, maybe there should be a way of saying "show me all packets
> {from,to} MAC-48 address XX:XX:XX:XX:XX:XX, *regardless* of whether they're
> Ethernet or Token Ring or FDDI or 802.1 or... packets.

I agree. Perhaps this should be done as the ability to filter on type, ie "show
me all packets that have a field of FT_ETHER with the following value"? You
wouldn't get the ability to filter on to/from, but I think it would be a lot
less intrusive to implement.

> If, for example, you could say "link host XX:XX:XX:XX:XX:XX" in a display
> filter, and have it match all packets where the dl_src or dl_dst at any level
> matches that value, and have "apply as filter" use that, that would also work
> (and let people used to libpcap filters use them...).
> 
> For network-layer addresses, that'd also let you do "host foo.example.com" and,
> if "foo.example.com" has both IPv4 and IPv6 addresses, have it match either
> one.

This would make it quite a bit more complicated I think.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.