Wireshark-dev: Re: [Wireshark-dev] Defining global filters?
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Mon, 18 Aug 2014 14:52:35 -0400
On 08/18/14 09:46, Anders Broman wrote:
Hi,

How to define filters and display the data of fields that may occur in
multiple protocols? One example is IMSI ( International Mobile
Subscriber identity) that exists in multiple 3GPP and 3GPP2 protocols,
following a call flow through the system it could be interesting to
filter on
IMSI across multiple protocols to build a filter covering all messages
in the call flow.

(I suppose I may sound rather repetitive at this point--sorry--but...) this is exactly what MATE's good at (and was created for).

For example I still have a MATE configuration file loaded (though I haven't actually used it in months) which adds an "IMSI" filter to Diameter Answer messages because I needed to find a answer with IMSI=1234 and Result-Code=5678. It could easily be modified to also pick the IMSI out of other protocols (like GTPv2).

Suggestion:

Create global_filters.[ch] in epan/dissectors or
(packet-global_filters?) define functions to parse the data there and/or
export the hf Variable to be used in the protocol dissectors.

Initially that seems very wrong to me; "global" sounds too wide of a scope to me.

Why not put the IMSI dissector and filter in the E.212 dissector? The same could be applied to MSISDNs (E.164).

How many other identifiers are we talking about? Could they be lumped into existing "dissectors" like those two?