Hello,
I've created a small patch that will allow ip.addr to match on arp
requests/replies as well as the previous stuff. It comes quite handy
but as this kind of thing is a bit unusual I thought I'd ask first.
There is precedence for matching on another dissector's fields with
ipv6 matching on ipv4's version field.
Ciao
Jörg
--
Joerg Mayer <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
Index: packet-arp.c
===================================================================
--- packet-arp.c (revision 35964)
+++ packet-arp.c (working copy)
@@ -68,6 +68,7 @@
static int hf_arp_duplicate_ip_address = -1;
static int hf_arp_duplicate_ip_address_earlier_frame = -1;
static int hf_arp_duplicate_ip_address_seconds_since_earlier_frame = -1;
+static int hf_ip_addr = -1;
static int hf_atmarp_src_atm_num_e164 = -1;
static int hf_atmarp_src_atm_num_nsap = -1;
@@ -1086,6 +1087,8 @@
hf_arp_src_proto_ipv4 :
hf_arp_src_proto,
tvb, spa_offset, ar_pln, FALSE);
+ item = proto_tree_add_item(arp_tree, hf_ip_addr, tvb, spa_offset, 4, FALSE);
+ PROTO_ITEM_SET_HIDDEN(item);
}
if (ar_hln != 0) {
proto_tree_add_item(arp_tree,
@@ -1100,6 +1103,8 @@
hf_arp_dst_proto_ipv4 :
hf_arp_dst_proto,
tvb, tpa_offset, ar_pln, FALSE);
+ item = proto_tree_add_item(arp_tree, hf_ip_addr, tvb, tpa_offset, 4, FALSE);
+ PROTO_ITEM_SET_HIDDEN(item);
}
}
@@ -1295,6 +1300,12 @@
FT_UINT32, BASE_DEC, NULL, 0x0,
NULL, HFILL }},
+ { &hf_ip_addr,
+ { "Resolving or resolved Address", "ip.addr",
+ FT_IPv4, BASE_NONE, NULL, 0x0,
+ NULL, HFILL }},
+
+
};
static gint *ett[] = {
