Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2024-01-07 07:58:18 +0000

alexis gravatar image

How to filter by item?

I developed a proprietary dissector and a packet contains several messages.

proto_body = proto_register_protocol("Body", "BODY", "body");

For each message, I add:

proto_item *ti_body = proto_tree_add_item(tree, proto_body, tvb, HEADER_SIZE, length-4, ENC_NA);
proto_tree *tree_body = proto_item_add_subtree(ti_body, ett_body);

Nevertheless, when I filter, it filters what a packet contain.

If each message has a name and family fields, doing body.name==alex && body.family==human, it will filter all the packets containing these 2 conditions, but not in the same item.

Let's say it would accept a packet with 2 messages:

[0]
name=marcus
family=human  --> condition OK
[1]
name=alex
family=cat  --> condition OK

But I want it to filter only if the conditions are true in a single message.

[0]
name=alex  --> condition OK
family=cat  --> condition OK

Regards,

How to filter by item?

I developed a proprietary dissector and a packet contains several messages.

proto_body = proto_register_protocol("Body", "BODY", "body");

For each message, I add:

proto_item *ti_body = proto_tree_add_item(tree, proto_body, tvb, HEADER_SIZE, length-4, ENC_NA);
proto_tree *tree_body = proto_item_add_subtree(ti_body, ett_body);

Nevertheless, when I filter, it filters what a packet contain.

If each message has a name and family fields, doing body.name==alex && and body.family==human, it will filter all the packets containing these 2 conditions, but not in the same item.

Let's say it would accept a packet with 2 messages:

[0]
name=marcus
family=human  --> condition OK
[1]
name=alex
family=cat  --> condition OK

But I want it to filter only if the conditions are true in a single message.

[0]
name=alex  --> condition OK
family=cat  --> condition OK

Regards,