> Yes, absolutely. Ethereal would benefit from different styles of UI for
> filters. I find the NAI's DOS-based Sniffer filter interface useful.
> While you can build complex expressions with it, it also has fields for
> simple filters: you select the source/dest addresses you want to see
> (dlc, ip, ipx), and which protocols. Very simple.
>
> I once tried to use Sniffer Pro's filter GUI (on WinNT). The GUI was not
> simple; I could not at a glance figure out to relate everything with
> their little tree of ANDs and ORs. Somehow a tree of logical expressions
> doesn't work in a GUI.
NetMon's GUI is based on a logical expression tree, but it starts out
with
[AND]
|
+---Protocol == Any
|
+---ANY <-> ANY
If you double click on either of them, it pops up its filter-node
construction dialog box, which has three tabs:
Address
lets you filter on source or destination addresses (you can
specify "Addr1 -> Addr2", meaning packets going from Addr1 to
Addr2, or "Addr1 <-> Addr2", meaning packets going between
Addr1 and Addr2; either one can be specified as "*ANY")
Protocol
lets you filter on the highest-level protocol (i.e., the one
that shows up in the summary display) - it has a list of
"enabled" and "disabled" protocols, which starts out showing
all of them as enabled, and lets you enable all, disable all,
or move a selected protocol to the disabled or enabled list
Property
lets you filter on a particular field - it has a list of
properties (scrolling list, initially showing just protocols,
with a "+" that can be clicked to open up a list of all
fields for that protocol), and, when you select a particular
field, it offers different relations (e.g., "==", "<>" a/k/a
"!=", ">", etc., and lets you specify the value to be
compared with the field
If you click on "Protocol == Any", the active tab is the "Protocol" tab
(although you can change that); if you click on "ANY <-> ANY", the
active tab is the "Address" tab (again, you can change that).
Now, admittedly, I haven't often constructed a full-blown expression, so
maybe the only reason I've found it not to bad is that it's easy to
construct an expression that *just* filters on a protocol, or an
address, or one field.
To add an AND, OR, or NOT above a particular expression, you select the
tree element with the expression, and click on "AND", "OR", or "NOT" in
a list of "Add" buttons. That gives you an AND or an OR with only one
operand; select the AND or OR, and click on "Expression" in the "Add"
button list, and it pops up the filter-node construction dialog box to
let you construct the other operand of the AND or OR.
There's an "Edit" button, which is either "Operator" if an AND, OR, or
NOT is selected - it cycles through AND and OR (and NOT, if the operator
has only one operand) or "Expression" if an expression node is selected
- it pops up the filter-node construction dialog box.
There are also "Delete" buttons - "Line", which deletes the selected
expression node (or is grayed-out if the current node is an operator),
"Branch", which deletes the selected expression node if an expression
node is selected or deletes the operator *and* its children if an
operator is selected, and "All".
I've never used the Windows Sniffer GUI, so I don't know if this is
better or worse or just the same. It may also not be immediately
obvious how to construct a general expression with ANDs, ORs, and NOTs.
