Wireshark-dev: Re: [Wireshark-dev] expert_add_info_format() usage with undecoded/unknown data
I have tried your patch (on wireshark 1.1.3).
Seems to work well.
Explanations for other people :
On each field where an expert info has been declared,
a subtree Expert Info is added with
a field Severity with its value : Error, ...
a field Group with its value : Checksum, Malformed, ...
Then you can filter using :
expert
expert.severity == "Error"
expert.severity >= "Warn"
expert.group == "Malformed"
...
Perhaps I want also a filter like this :
<my_proto>.expert...
But I think it is not evident it is a good choice or easy to do and it
could be replaced by :
<my_proto> && expert...
Seems very good to me.
When do you plan to deliver it ?
Olivier
Jakub Zawadzki a écrit :
Hi,
On Wed, Feb 18, 2009 at 07:55:02PM +0100, wsgd wrote:
The possibility to make a Display filter on 'expert data' seems very
good to me.
It could permits to see all packets where there is an error (or ...).
Seems an important feature to me.
But, I think it does not exist.
I do some work on it, in attachment initial version :)
So, "gg.unknown" is the way to do.
Same way to do into packet-tcp.c : "hf_tcp_checksum_bad" ...
Note that you can filter using "gg.unknown" without any value (if you
add your "unknown" field only "when something unknown happens").
I didn't know about that, thanks!
------------------------------------------------------------------------
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
--
Wireshark Generic Dissector http://wsgd.free.fr