On 01/29/2013 06:35 PM, Guy Harris wrote:
On Jan 29, 2013, at 2:10 PM, Guy Harris <[email protected]> wrote:
On Jan 29, 2013, at 1:39 PM, Wenfei Wu <[email protected]> wrote:
I want to know how wireshark use the filter expression to filter packets.
Does it parse the packet first, and then use the filter expression to check? If
so, is there some intermediate data structure to store the filter expression?
What is the algorithm?
Is there some materials about this?
See my reply on the tcpdump-workers mailing list.
Although that applies only to Wireshark *capture* filters.
For *display* filters, yes, Wireshark and TShark parse the packet first, turning it into
a tree of named fields and unnamed "text" items.
The filter expression is compiled into a pseudo-machine code. It is *not* the
same as the BPF pseudo-machine code; it's much higher-level, in that it knows
about named packet fields, not just the raw array of packet bytes that the BPF
pseudo-machine uses.
See the code in the epan/dfilter directory - in particular, see dfvm.h and
dfvm.c for the core of the pseudo-machine interpreter.
Also see doc/README.display_filter
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
