Ask Your Question
0

Is there a limitation in the filter length

asked 2020-04-24 16:50:29 +0000

anothershark gravatar image

Hi all! Is there any kind of limitation when it comes to filters (also color filters)? Thanks to MS I currently have a filter with more than 18k chars. Wireshark is not complaining but I'd like to make sure nothing get's lost.... Cheers Andreas

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-04-24 20:20:35 +0000

Chuckc gravatar image

updated 2020-04-24 20:55:30 +0000

A "vintage" answer from 2012.

There is the dftest command for testing display filters.

Shell script to make a long test filter. 

#!/bin/sh

# chuckc - Fri Apr 24 14:53:58 CDT 2020
# Make a very long display filter

echo -n "(ip or tcp or udp or "

INDEX=0
while [ $INDEX -lt 1000 ]
do
echo -n "frame contains \"$INDEX data: 123456789abcdefghijklmnopqrstuvwxyz\" or "
    INDEX=`expr $INDEX + 1`
done

echo "frame contains \"$INDEX EOF: 123456789abcdefghijklmnopqrstuvwxyz\")"

Save output to a file then read into dftest:

$ ./make_dfilter_long > dfilter.long
$ dftest `cat ./dfilter.long` | tail -10
04000 ANY_CONTAINS      reg#0 contains reg#999
04001 IF-TRUE-GOTO      4009
04002 READ_TREE         frame -> reg#0
04003 IF-FALSE-GOTO     4009
04004 ANY_CONTAINS      reg#0 contains reg#1000
04005 IF-TRUE-GOTO      4009
04006 READ_TREE         frame -> reg#0
04007 IF-FALSE-GOTO     4009
04008 ANY_CONTAINS      reg#0 contains reg#1001
04009 RETURN
$
edit flag offensive delete link more

Comments

Hi Bubba, thnx for the answer but it refers to an 8y old version and there have been some more in the meanwhile and I don't want to guess if this is still true or not.

Is there anyone from the Devel side who could let me know about the STRG-VAR-Side?

I'm also coding but not C(++) so I don't know anything about the Size of the Var used and how this is handled in WS.

As mentioned before I do not see any complains from WS but I need to to be sure that the whole String get's evaluated.

Not being on the safe side means not knowing anything - and guessing is unacceptable, especially when it comes to deep dives.

Many Thanks!

Cheers Andreas

anothershark gravatar imageanothershark ( 2020-04-24 21:02:36 +0000 )edit

Doesn't seem to be a fixed array length - grow buffer if not big enough.

ui/filter_files.c
    -------------------------
    if (filt_expr_index >= filt_expr_len) {
    /* Filter expressioin buffer isn't long enough; double its length. */
      filt_expr_len *= 2;
      filt_expr = (char *)g_realloc(filt_expr, filt_expr_len + 1)
    }
Chuckc gravatar imageChuckc ( 2020-04-24 21:04:45 +0000 )edit

Source is available here

Chuckc gravatar imageChuckc ( 2020-04-24 21:09:05 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2020-04-24 16:50:29 +0000

Seen: 240 times

Last updated: Apr 24 '20

Related questions

Capture incoming packets from remote web server

Localhost capturing

How to filter out TCP retransmissions

My UDP packets aren't showing

Using tshark filters to extract only interesting traffic from 12GB trace

Capture Filters - SSL Handshake or HEX

Is it possible to test a capture filter with already captured traffic?

How to capture UDP traffic and not NBNS traffic?

What is the udp.length display filter actually for?

How would I map this display filter to a capture filter?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2