Hello, I am trying to find where I can see the criteria for the display filters. I looked in the dfilters file but that only contains 17 entries. For example 'http.' as around 50 filter options, is there a file that defines the criteria that would match each option? I suppose this would be some offset and some hex value, is there a list of these values for each display filter. Thank you, GP CC asked 16 May '17, 07:07 GP CC |
2 Answers:
To be precise, the "file that defines the criteria that would match each [filter]" would be the dissector. That contains the code which creates the nodes in the protocol tree to which the display filter can be applied. There is (a lot of) logic involved in that, interpreting every octet and bit in the frame to find out where what field is. So there is no hard-and-fast rules saying 'at this offset that field can be found and a display filter applied'. (layers of) network protocols are just too complex for that. answered 16 May '17, 12:08 Jaap ♦ |
There is the on-line reference of all display filters, if that's what you're interested in? With the Gtk version of Wireshark, you can also find the available display filters by navigating through Internals -> Support Protocols (slow!) -> Display Filter Fields, and you can also use Probably the easiest way to find out the display filter name is by selecting the field of interest in the packet details pane and then reading the display filter associated with that field in the bottom status bar. answered 16 May '17, 11:28 cmaynard ♦♦ 1 Oh, and the Qt based interface has them at View | Internal | Supported Protocols. (16 May '17, 12:02) Jaap ♦ |
Thank you for the replies and assistance, I was thinking the dissector for each protocol would be a part or maybe all of the answer.
GP CC