Wireshark-dev: Re: [Wireshark-dev] can't filter field in wireshark
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Thu, 18 Aug 2011 23:05:20 +0200
On 18 aug. 2011, at 17:08, Graham Bloice <graham.bloice@xxxxxxxxxxxxx> wrote:

> On 18/08/2011 15:26, Moussa.Alawieh@xxxxxxxxxxxxxxxxxxx wrote:
>> Can someone help me ????????????
>> 
>> 
>> 
>> De :        Moussa Alawieh/LES ULIS/ZDF/BTECH/ZODIAC
>> 
>> ------------------------------------------------------------------------------
>> 
>> 
>> thanks for your response....
>> 
>> However, what you said is very importanty for me because I have put this
>> function in many place of my code !!!!
>> 
>> Is there any other function that can replace the "proto_tree_add_text()" ??
>> 
>> and do you think that it exist a way to satisfy my question in the precedent
>> mail ???
>> 
>> 
>> 
>> 
>> 
>> De :        Chris Maynard <Chris.Maynard@xxxxxxxxx>
>> 
>> ------------------------------------------------------------------------------
>> 
>> 
>> 
>> <Moussa.Alawieh@...> writes:
>> 
>>> I put the result in Wireshark with the
>>> "proto_tree_add_text"
>>> function, but it's impossible
>>> to filter this field because it's a text !!!!!
>>> can someone help-me ???
>>> regards
>> 
>> Don't use proto_tree_add_text().  To quote doc/README.developer:
>> 
>> proto_tree_add_text() is used to add a label to the GUI tree.  It will
>> contain no value, so it is not searchable in the display filter process.
>> This function was needed in the transition from the old-style proto_tree
>> to this new-style proto_tree so that Wireshark would still decode all
>> protocols w/o being able to filter on all protocols and fields.
>> Otherwise we would have had to cripple Wireshark's functionality while we
>> converted all the old-style proto_tree calls to the new-style proto_tree
>> calls.  In other words, you should not use this in new code unless you've got
>> a specific reason (see below).
> You need to follow the advice from Chris.  If you want to filter on a field
> don't use proto_tree_addtext(), use proto_tree_add_item() along with
> corresponding hf_* field definitions.
> 
> -- 
> Regards,
> 
> Graham 

... But he's trying to show a computed value, so he should follow the advice from Jeff. 

Thanks,
Jaap