On Jan 29, 2013, at 2:10 PM, Guy Harris <[email protected]> wrote: > On Jan 29, 2013, at 1:39 PM, Wenfei Wu <[email protected]> wrote: > >> I want to know how wireshark use the filter expression to filter packets. >> Does it parse the packet first, and then use the filter expression to check? >> If so, is there some intermediate data structure to store the filter >> expression? What is the algorithm? >> Is there some materials about this? > > See my reply on the tcpdump-workers mailing list.
Although that applies only to Wireshark *capture* filters. For *display* filters, yes, Wireshark and TShark parse the packet first, turning it into a tree of named fields and unnamed "text" items. The filter expression is compiled into a pseudo-machine code. It is *not* the same as the BPF pseudo-machine code; it's much higher-level, in that it knows about named packet fields, not just the raw array of packet bytes that the BPF pseudo-machine uses. See the code in the epan/dfilter directory - in particular, see dfvm.h and dfvm.c for the core of the pseudo-machine interpreter. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
