 | 1 | initial version |
This is a libpcap issue, so it's not really Wireshark-related.
The libpcap filter language, which is documented in the pcap-filter man page, supports ip filter vrrp, for example, but doesn't support ip filter l2tp, as the lexical analyzer in libpcap treats vrrp as a protocol filter by itself, i.e., you can say just vrrp as a filter expression, but doesn't treat l2tp as a protocol filter by itself, so you can't say just l2tp as a filter expression.
Names that can be used as filters by themselves have to be "escaped" with a leading backslash when used as a protocol name for ip proto, but names that can't be used as filters by themselves don't have to be escaped.
Thus:
vrrp is a filter by itself;ip filter vrrp is not legal, but ip filter \vrrp is;l2tp is not a filter by itself;ip filter l2tp is legal, as is ip filter \l2tp.There is no underlying reason for this, but one problem with making l2tp by itself a filter is that it'd make ip filter l2tp not a valid filter, so it might break backwards compatibility.
It might be that the filter grammar could be changed to allow ip filter vrrp to be valid, if that doesn't make the correct parsing of that filter ambiguous. That would complicate the grammar but simplify the user experience, which I, at least, would consider to be a worthwhile tradeoff.
Please file an enhancement request for this on the libpcap issues list. (That will require a GitHub account.)
| | 2 | No.2 Revision |
This is a general libpcap issue, so it's not really Wireshark-related.rather than a Wireshark-specific issue.
The libpcap filter language, which is documented in the pcap-filter man page, supports ip filter vrrp, for example, but doesn't support ip filter l2tp, as the lexical analyzer in libpcap treats vrrp as a protocol filter by itself, i.e., you can say just vrrp as a filter expression, but doesn't treat l2tp as a protocol filter by itself, so you can't say just l2tp as a filter expression.
Names that can be used as filters by themselves have to be "escaped" with a leading backslash when used as a protocol name for ip proto, but names that can't be used as filters by themselves don't have to be escaped.
Thus:
vrrp is a filter by itself;ip filter vrrp is not legal, but ip filter \vrrp is;l2tp is not a filter by itself;ip filter l2tp is legal, as is ip filter \l2tp.There is no underlying reason for this, but one problem with making l2tp by itself a filter is that it'd make ip filter l2tp not a valid filter, so it might break backwards compatibility.
It might be that the filter grammar could be changed to allow ip filter vrrp to be valid, if that doesn't make the correct parsing of that filter ambiguous. That would complicate the grammar but simplify the user experience, which I, at least, would consider to be a worthwhile tradeoff.
Please file an enhancement request for this on the libpcap issues list. (That will require a GitHub account.)