Ask Your Question

Is there a limitation in the filter length

asked 2020-04-24 16:50:29 +0000

anothershark gravatar image

Hi all! Is there any kind of limitation when it comes to filters (also color filters)? Thanks to MS I currently have a filter with more than 18k chars. Wireshark is not complaining but I'd like to make sure nothing get's lost.... Cheers Andreas

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-04-24 20:20:35 +0000

Chuckc gravatar image

updated 2020-04-24 20:55:30 +0000

A "vintage" answer from 2012.

There is the dftest command for testing display filters.

Shell script to make a long test filter.


# chuckc - Fri Apr 24 14:53:58 CDT 2020
# Make a very long display filter

echo -n "(ip or tcp or udp or "

while [ $INDEX -lt 1000 ]
echo -n "frame contains \"$INDEX data: 123456789abcdefghijklmnopqrstuvwxyz\" or "
    INDEX=`expr $INDEX + 1`

echo "frame contains \"$INDEX EOF: 123456789abcdefghijklmnopqrstuvwxyz\")"

Save output to a file then read into dftest:

$ ./make_dfilter_long > dfilter.long
$ dftest `cat ./dfilter.long` | tail -10
04000 ANY_CONTAINS      reg#0 contains reg#999
04001 IF-TRUE-GOTO      4009
04002 READ_TREE         frame -> reg#0
04003 IF-FALSE-GOTO     4009
04004 ANY_CONTAINS      reg#0 contains reg#1000
04005 IF-TRUE-GOTO      4009
04006 READ_TREE         frame -> reg#0
04007 IF-FALSE-GOTO     4009
04008 ANY_CONTAINS      reg#0 contains reg#1001
04009 RETURN
edit flag offensive delete link more


Hi Bubba, thnx for the answer but it refers to an 8y old version and there have been some more in the meanwhile and I don't want to guess if this is still true or not.

Is there anyone from the Devel side who could let me know about the STRG-VAR-Side?

I'm also coding but not C(++) so I don't know anything about the Size of the Var used and how this is handled in WS.

As mentioned before I do not see any complains from WS but I need to to be sure that the whole String get's evaluated.

Not being on the safe side means not knowing anything - and guessing is unacceptable, especially when it comes to deep dives.

Many Thanks!

Cheers Andreas

anothershark gravatar imageanothershark ( 2020-04-24 21:02:36 +0000 )edit

Doesn't seem to be a fixed array length - grow buffer if not big enough.

    if (filt_expr_index >= filt_expr_len) {
    /* Filter expressioin buffer isn't long enough; double its length. */
      filt_expr_len *= 2;
      filt_expr = (char *)g_realloc(filt_expr, filt_expr_len + 1)
Chuckc gravatar imageChuckc ( 2020-04-24 21:04:45 +0000 )edit

Source is available here

Chuckc gravatar imageChuckc ( 2020-04-24 21:09:05 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2020-04-24 16:50:29 +0000

Seen: 256 times

Last updated: Apr 24 '20