Wireshark-dev: Re: [Wireshark-dev] File format and coloring rules.
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 30 Nov 2010 00:59:31 -0800
On Nov 30, 2010, at 12:43 AM, Agustin Figueredo Canosa wrote:

> I have a dissector for my protocol that works fine, but I have a few
> questions..
> 
> 1 - I have an external Sniffer (I haven't develop it) that uses a list
> from the component "TListView" of Borland Builder for saving capture
> files. The content of the files is transparent for user, If you open this
> file with a text editor, the content is illegible. Is there any way for
> add this file format to wiretap??

If:

	1) that file format is documented somewhere, or can be reverse-engineered

and

	2) it has records for each packet that contain the raw data for the packet and, if it's available, a time stamp for the packet

it's probably possible - we'd have to see the documentation for the file format, or see some capture files in that format as well as information giving some or all of the contents of each packet and, if they're in the file, the time stamp for each packet (for reverse-engineering).

> 2 - I´d like to use different colors rules depending on the host
> directions. How can i do that? Obviously, I dont know this directions
> untill the frame arrives.

What if, for example, it's an Ethernet or Wi-Fi capture and there are more than two hosts?

For IP packets, if you know the IP addresses of two of the hosts, you could construct two color filter rules for traffic in each direction between those hosts, but that wouldn't handle traffic between one of those hosts and a third host, or traffic between two other hosts.  If it's on a network with multiple link-layer addresses, the same would apply to them.