I need some help and advice on display filters because I’m new to the codebase.
I’m trying to add the capability where a ‘http contains blah’ filter searches
uncompressed HTTP content. I’m adding because we use ‘Frame contains’ and ‘http
contains’ in our workflow to find items of interest in the traffic. There are
items in the compressed data that we would like to find using the contains
operator.
I see how the ‘http contains’ filter works and how HTTP decompression works
however I cannot figure out how to add the decompressed data to the link list
used for display filtering.
I believe it will work if the decompressed buffer was added to the list_a link
list in dfvm.c. The list_a link list only has the raw HTTP packet data and the
next pointer is NULL when protocol ID is http. It would seem to work if the
uncompressed data pointer was added to the end of the list_a link list in the
read_tree method.
Thoughts/guidance?
static gboolean
any_test(dfilter_t *df, FvalueCmpFunc cmp, int reg1, int reg2)
{
GList *list_a, *list_b;
list_a = df->registers[reg1];
while (list_a) {
list_b = df->registers[reg2];
while (list_b) {
if (cmp((fvalue_t *)list_a->data, (fvalue_t
*)list_b->data)) {
return TRUE;
}
list_b = g_list_next(list_b);
}
list_a = g_list_next(list_a);
}
return FALSE;
}___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
