Wireshark-dev: Re: [Wireshark-dev] Using col_set_str(pinfo->cinfo, COL_PROTOCOL, "some_string")
From: Michael Mann <mmann78@xxxxxxxxxxxx>
Date: Sat, 1 Jul 2017 17:38:38 -0400
If you filter string is "smb2", "dns", the reason the filter works is there is a field added to the tree with that name (typically the proto_id).   There is no "col.proto == smb2" filter.  Many dissectors have the proto id as the first field in their tree and that allows the filterability. 
 
 
 
-----Original Message-----
From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Sent: Sat, Jul 1, 2017 5:02 pm
Subject: Re: [Wireshark-dev] Using col_set_str(pinfo->cinfo, COL_PROTOCOL, "some_string") but cannot filter on some_string

On Sat, Jul 1, 2017 at 1:48 PM, Michael Mann via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote: > I think you're running into this: > https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4684 What is strange is that it seems to work for some protocols. Ie, if I search on smb2, dns, etc, it works. I wonder what the difference is ... > > -----Original Message----- > From: Richard Sharpe <realrichardsharpe@xxxxxxxxx> > To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx> > Sent: Sat, Jul 1, 2017 2:31 pm > Subject: Re: [Wireshark-dev] Using col_set_str(pinfo->cinfo, COL_PROTOCOL, > "some_string") but cannot filter on some_string > > On Sat, Jul 1, 2017 at 10:20 AM, Darien Spencer <cusneud@xxxxxxxx> wrote: > >> The protocol filter isn't based on the value in the protocol column. > > Instead it's based on the value given to the protocol registration method > 'proto_register_protocol' > Look at the example here: > > https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html > the > filter will be 'foo' since the 3rd argument to this method is 'foo'. > Did > you use 'some_string' there as well? Yeah, I just went back and made sure > that the third argument was the same, including case, as what I used in > col_set_str. -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> Archives: > https://www.wireshark.org/lists/wireshark-dev Unsubscribe: > https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe