 | 1 | initial version |
In the case you've given, you can just filter for the value of myprotocol.type, like filtering for myprotocol.type == 4. However, supposing that you're talking about a case where you don't add a field like that.
You can't filter for subtrees. But you can filter for the node that is the root of a subtree, which is what you want.
In a C dissector, when you add a subtree to a tree (proto_tree_add_subtree), what it really does is create a special text-only node (of type FT_NONE) that cannot be filtered, and then adds a subtree underneath. To effectively filter for a subtree in a C dissector, you register a FT_NONE field, add that the tree, and then add a subtree underneath. (proto_tree_add_item() with the FT_NONE, and then proto_item_add_subtree(tree_item, ett)). Doing it that way, while sometimes more work, creates an item you can filter (and also has other good effects like making JSON or XML output more consistent.) That item doesn't have a value, so you can only filter for its existence. (If you want to filter for value, like for the byte it contains, it can be added as a FT_BYTES, possibly with NO_DISPLAY_VALUE set.)
In Lua, you would do something similar. Register a ProtoField.none called Message_Type_4_Subtree, and add that to tree. Then add child items under it.
| | 2 | No.2 Revision |
In the case you've given, you can just filter for the value of myprotocol.type, like filtering for myprotocol.type == 4. However, supposing that you're talking about a case where you don't add a field like that.
You can't filter for subtrees. But you can filter for the node that is the root of a subtree, which is what you want.
In a C dissector, when you add a subtree to a tree (proto_tree_add_subtree), what it really does is create a special text-only node (of type FT_NONE) that cannot be filtered, and then adds a subtree underneath. To effectively filter for a subtree in a C dissector, you register a FT_NONE field, add that the tree, and then add a subtree underneath. (proto_tree_add_item() with the FT_NONE, and then proto_item_add_subtree(tree_item, ett)). Doing it that way, while sometimes more work, creates an item you can filter (and also has other good effects like making JSON or XML output more consistent.) That item doesn't have a value, so you can only filter for its existence. (If you want to filter for value, like for the byte it contains, it can be added as a FT_BYTES, possibly with NO_DISPLAY_VALUE set.)
In Lua, you would do something similar. Register a ProtoField.none called Message_Type_4_Subtree, and add that to tree. Then add child items under it.it. E.g.,
mySubTreeField4 = ProtoField.none("myProtocol.message_type_4_subtree", "Message Type 4")
...
elseif type == 4 then
local new_subtree = subtree:add(mySubtreeField4, buffer())
new_subtree:add_le(myField3, buffer(1,1)):le_uint()
new_subtree:add_le(myField4, buffer(2,1)):le_uint()
end