Many thanks for helpful and speedy comments.
> At present, it seems that ethereal regards each and every flag
> as a single stand alone boolean which is on or off (having appropriate
> labels in a TRUE/FALSE structure) and displayed left justified.
Correct. This was to make it easy to filter on an individual flag
value. For example, "tcp.flags.ack" or "tcp.flags.urg"
I have not given this any consideration at all. I have been working
(as a first pass) on the basis that filtering would fall out of the cod
if it were implemented reasonably.
How would one filter on an individual flag within an FT_FLAGS_BYTE value?
Would the display filter rely on the bit operations that will be available
in a future display filter syntax? Like:
tcp.flags & 0x08 == 1
instead of:
tcp.flags.push
Or would the adding an FT_FLAGS_BYTE value also automatically add all
the children FT_BOOLEAN or FT_UINT* values as well?
I was thinking of the latter. Now that I have written some code it is becoming
apparent that this is a case of FT_FLAGS_* being a special case of FT_UINT*.
Could the constituent boolean and numeric fields be added as hidden
(assuming that
they are hidden & not displayed elsewhere)?
Ben.
--
Leedsnet - The information resource for Leeds and the West Riding
< URL:http://www.leedsnet.com/mobile/ >
