Hi!
When display filtering, I'll often use data from the currently selected packet,
e.g. see all packets that also has the same Ethernet address pair as the
current packet.
That's why I've implemented the context menu "Conversation Filter" some time
ago.
However, my feeling about these filters is, that they are too inflexible for a
lot of cases. So I thought about a different approach, and after some time now
I've come to the conclusion that the most flexible and still understandable way
would be to use fields of the currently selected packet in the filter string.
One idea is to use something like:
eth.addr eq ${eth.dst} and eth.addr eq ${eth.src}
to get the same behaviour as the current "Conversation Filter/Ethernet" context
menu. In fact, this is what the context menu will do "hardcoded" - get some
data from the currently selected packet and build a new filter string out of
it. But we would gain a lot more flexibility in the users hand being able to
use such macros for the display filter in a generic way here!
Having this flexibility, we could even have user defined GUI elements to filter
stuff, e.g. add user definable toolbar buttons for user defined filters. So the
user can add a toolbar button to filter the stuff he want's.
Having this two (hopefully small) changes, we would gain a lot of comfort in
the everyday work IMO.
Unfortunately, I don't have deep knowledge of the display filter engine, so is
there any chance/interest that someone helps me with this approach? If the
display filter engine is capable of using such macros, I would happily add the
GUI stuff to bring this into life ...
Regards, ULFL
_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev
