Guy Harris writes:
> > > - We need GUI extensions for filtering (this is not news to you, I'm
> > > sure).
> >
> > yes!
>
> The stuff you're doing should help that, in that, for example, a GUI
> could get a list of all the fields at which it can look, as well as at
> all the protocols it can select.
Yeah, but I'm leaning towards a per-protocol GUI filter. The reason is
that I don't feel that all possible useful filters can be expressed in
simple fields.
> > > - A useful filtering scheme would be to filter on all packets in which
> > > a particular set of bytes match a particular pattern. Even more useful
> > > would be if you could select these. For example, you click on a
> > > packet, expand it, click on a protocol, expand it, click on an object
> > > within that protocol and select it (so it gets highlighted in the hex
> > > dump). Now, you go to the menu and say "Find all packets in which
> > > the selected bytes have the same value". Voila, it finds all those
> > > packets. This is a really useful technique and folks in my group use it
> > > all the time in Netmon (though they have to do a little more work
> > > there to get this functionality). I'm halfway through writing it; but
> > > if somebody has an equivalent or better solution, I'm all ears.
> >
> > You mean using an offset from the beginning of a protocol layer?
> > Like,
> > tcp[5:3] = 01:02:03
> >
> > Or even with a field?
> >
> > tr.dst[0:3] = 00:00:f6 (madge token-ring cards!)
>
> For the display filter, the version of Netmon I have appears to require
> you to select a property (its equivalent of the field-based stuff you're
> doing for Ethereal display filters) in order to get at stuff at a given
> byte offset in the packet, so it's not clear whether it lets you say
> "are the N bytes at offset X equal to Y?").
Yeah, but our testers basically copy down the bytes in the particular
offset from the RSVP session property, and then filter by this. They have
to move the numbers by hand (a no-no).
> The capture filter lets you look at bytes starting at a given offset
> from either the start of the frame or from the start of the link-layer
> payload. (Unfortunately, that, address matches, and SAP/Ethernet type
> matches are *all* it lets you do; for example, it appears not to have
> any way, short of manually constructing it with the "bytes starting at a
> given offset" stuff, to do a capture filter based on TCP or UDP port
> numbers.)
And I feel this is not a bad thing. IMHO, capture filters should be
really simple and fast. Display filters is where all the smarts should
be.
> That mechanism is basically Netmon-inspired, so it should let people do
> the same sort of stuff in Ethereal display filters that Netmon lets you
> do in its display filters.
>
> Ashok, are you referring to *capture* filters, or *display* filters?
Display filters only
-Ashok
--
--- Ashok Narayanan ----------------------------------------
IOS Network Protocols, Cisco Systems
250 Apollo Drive, Chelmsford, MA 01824
Ph: 978-244-8387
