On Jul 5, 2012, at 2:38 AM, Lloyd wrote:
> I am studying about packet filtering methods. Then I came across
> NetBee library (combination of NetPDL+NetPFL+NetVM), by the developer
> of Winpcap. I have not tried the libary yet, but the authors claim
> that it is a very flexible, efficient and an extendable system (O.
> Morandi, F. Risso, M. Baldi, A. Baldini, “Enabling Flexible Packet
> Filtering Through Dynamic Code Generation”). I am interested in
> comparing Wireshark's display filter against the Netbee system for
> efficiency and extendability.
>
> The have compared their system against BPF but not with wireshark's
> display filter.
Wireshark's display filter is different from both BPF and NetBee. BPF and
NetBee both involve code that extracts fields from packets and does tests on
them; Wireshark's display filter works on an already-parsed packet, so the
extracting of fields from packets has already been done by the time the display
filter works on it.
I.e., the Wireshark display filter is *NOT* a standalone mechanism; it relies
on Wireshark dissectors existing and having been run on the packet.
(BTW, they should perhaps have tried doing their development on a platform that
implements ntohs() and ntohl() as inlines; I think glibc+GCC does that, and it
appears that MSVC++ in Visual Studio 2005 and later would allow that as well:
http://msdn.microsoft.com/en-us/library/a3140177(v=vs.80).aspx
although whether Winsock or whatever provides ntohs() and ntohl() does so is
another matter. The ability to do byte-swapping of host-byte-order quantities
inline is *not* an inherent advantage of other languages over C for generating
packet-filtering code....)
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
