Wireshark-dev: Re: [Wireshark-dev] can't filter field in wireshark
From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Thu, 18 Aug 2011 16:08:22 +0100
On 18/08/2011 15:26, Moussa.Alawieh@xxxxxxxxxxxxxxxxxxx wrote:
> Can someone help me ????????????
>
>
>
> De :        Moussa Alawieh/LES ULIS/ZDF/BTECH/ZODIAC
>
> ------------------------------------------------------------------------------
>
>
> thanks for your response....
>
> However, what you said is very importanty for me because I have put this
> function in many place of my code !!!!
>
> Is there any other function that can replace the "proto_tree_add_text()" ??
>
> and do you think that it exist a way to satisfy my question in the precedent
> mail ???
>
>
>
>
>
> De :        Chris Maynard <Chris.Maynard@xxxxxxxxx>
>
> ------------------------------------------------------------------------------
>
>
>
>  <Moussa.Alawieh@...> writes:
>
> > I put the result in Wireshark with the
> > "proto_tree_add_text"
> > function, but it's impossible
> > to filter this field because it's a text !!!!!
> > can someone help-me ???
> > regards
>
> Don't use proto_tree_add_text().  To quote doc/README.developer:
>
> proto_tree_add_text() is used to add a label to the GUI tree.  It will
> contain no value, so it is not searchable in the display filter process.
> This function was needed in the transition from the old-style proto_tree
> to this new-style proto_tree so that Wireshark would still decode all
> protocols w/o being able to filter on all protocols and fields.
> Otherwise we would have had to cripple Wireshark's functionality while we
> converted all the old-style proto_tree calls to the new-style proto_tree
> calls.  In other words, you should not use this in new code unless you've got
> a specific reason (see below).
You need to follow the advice from Chris.  If you want to filter on a field
don't use proto_tree_addtext(), use proto_tree_add_item() along with
corresponding hf_* field definitions.

-- 
Regards,

Graham Bloice