Wireshark-dev: [Wireshark-dev] Should I create virtual fields for use in display filters
I would like to give users of my dissector a quick and easy way to find any
packets that have been sent which are not of the expected size. To me, as a
newbie, the obvious way to do this would be to allow them to filter packets
based on expected and actual packet sizes.
To do that I think I need fields for the "actual" and "expected" packet
size.
The packets in my protocol do not contain a field for the "expected" size,
though it can be deduced from the message type.
The "actual" size could be obtained from tvb_length(tvb).
Should I create fields for the "actual" and "expected" sizes even though
these fields don't actually exist in the data?
If I do what should I get Wireshark to highlight e.g. for the "expected"
size should Wireshark highlight the data in the header showing the message
type?
Is there a more correct/better way of achieving what I want. for example is
there already some way to filter on "actual" packet size without the need
for me to create a field.
Regards
Hal
_________________________________________________________________
View Athletes Collections with Live Search
http://sportmaps.live.com/index.html?source=hmemailtaglinenov06&FORM=MGAC01
