Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Polling for possible reasons why the 'filter name' does not work
From: DbdM Tbt <spin.x2k () gmail com>
Date: Thu, 29 Aug 2013 10:22:47 +0800

Good day Gilbert,

Thank you for your reply.
I would just like to add additional information (forgot to include them
last night):
1. used the latest stable release (1.10.1)
2. same behavior observed in windows xp 32bit (vs2010) and centos 6.4
32bit/64bit.
3. dissector dissects successfully.
4. protocol seems to be registered as it can be seen in 'Analyze'->'Enabled
Protocols'
5. filter name shows in the drop down selection in the display filter combo
box

I also just ran 'tshark -G protocols' and the protocol is indeed known.
Perhaps it is as you say that the protocol is matching something else.
Haven't yet tried dftest and will try it as time permits.

Thank you,
David



On Thu, Aug 29, 2013 at 5:15 AM, Gilbert Ramirez <gram () alumni rice edu>wrote:

The protocol filter name checks for the existence of the protocol entry in
the proto_tree data structure hierarchy.

This is done with proto_tree_add_item(), as in this example from
packet-ip.c :

ti = proto_tree_add_item(tree, proto_ip, tvb, offset, hlen, ENC_NA)

Could it be that your "proto_ABC" was not added to the tree in this way?
Or, maybe the value that was assigned to your protocol via
proto_register_protocol() changed during execution?

As a test, compile "dftest" and run dftest with your protocol name, and
see what the "display filter virtual machine" opcodes will be. Maybe your
protocol name is matching something else?

Also,  you can run: "tshark -G protocols" to see if your protocol really
is known.

Gilbert


On Wed, Aug 28, 2013 at 8:55 AM, DbdM Tbt <spin.x2k () gmail com> wrote:

Good day to all,

I have been trying to figure out a behavior for a while now where the
'filter name' (third parameter of proto_register_protocol() function) does
not filter the captured messages.
For a brief background, I am studying/using an existing openflow
dissector:
https://github.com/CPqD/ofdissector

I have scanned the README.developer and from looking at the ofdissector
code, everything seems to be in order.

At first I thought that the 'filter name' should be the same as the first
'prefix' of the display filters registered in hf_register_info
declarations. Meaning if the display filters are like 'abc.yyy.xxx', the
filter name should be 'abc'.
But I think this does not necessarily need to be the case as I tried
changing the prefixes in another of my dissectors and the filter name seems
to work fine.

Does anyone have any possible leads/reasons/hypothesis as to where should
I be looking to fix this?

Thank you in advance.

Best regards,
David



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault