'Re: [Wireshark-dev] How is the protocol display filter name determined?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-dev
Subject:    Re: [Wireshark-dev] How is the protocol display filter name determined?
From:       Michael Lum <michael.lum () starsolutions ! com>
Date:       2016-03-25 2:45:37
Message-ID: 053D39D3D76C474EB2D2A284AA6BA31801461D64B21D () COLOSSEXCH01 ! starsolutions ! com
[Download RAW message or body]

Thank you very much Michael.

That was exactly the issue.

________________________________
From: wireshark-dev-bounces@wireshark.org \
                [mailto:wireshark-dev-bounces@wireshark.org] On Behalf Of Michael \
                Mann
Sent: March-24-16 5:09 PM
To: wireshark-dev@wireshark.org
Subject: Re: [Wireshark-dev] How is the protocol display filter name determined?

The protocol display filter works like all filters. It has to be used in a \
proto_tree_add_xxx call to be used as a filter  What you may be confused by is \
protocol identifier (proto_fapi) can also be passed like an hf_ field is.

Typically the first proto_tree_add_item call in a dissector is for the protocol.  For \
example

ti = proto_tree_add_item(tree, proto_fapi, tvb, 0, -1, ENC_NA)
subtree = proto_item_add_subtree(ti, ett_fapi)

with all other tree items called using subtree.  This is why it appears any packet \
involving the protocol works with the protocol filter.



-----Original Message-----
From: Michael Lum <michael.lum@starsolutions.com>
To: wireshark-dev <wireshark-dev@wireshark.org>
Sent: Thu, Mar 24, 2016 6:27 pm
Subject: [Wireshark-dev] How is the protocol display filter name determined?

Hi,

I have a custom plugin building with the Wireshark 2.0.2 source on Windows 7, using \
cmake.

For the most part the plugin works correctly.

Display filters on particular items appear to work.

However, when I try to use just the protocol name to filter I don't get any packets.
But if I clear the display filter the packets are there.

The protocol is called FAPI.

This is used to register the protocol.

    proto_fapi = proto_register_protocol("FAPI", "FAPI", "fapi");

The packets come on a particular UDP port.

If I start a capture I can see the packets and the PROTOCOL column says FAPI.

When I enter "fapi" in the display filter field and hit apply everything disappears.

A display filter likes this:

fapi.FAPI_subFrameIndication_st.sf

works correctly.

Any ideas on where I should look?
I've tried rebuilding everything from scratch but end up with the same results.

Thank you


From "About":
===================================================================================
Version 2.0.2-StarSolutions (SVN Rev Unknown from unknown)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org<mailto:gerald@wireshark.org>> \
and contributors. License GPLv2+: GNU GPL version 2 or later \
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see \
the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY \
or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.12.16, with Pango 1.36.8, with
WinPcap (4_1_3), with libz 1.2.8, with GLib 2.42.0, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.2, with GnuTLS 3.2.15, with Gcrypt 1.6.2, with MIT Kerberos,
with GeoIP, with PortAudio V19-devel (built Mar 24 2016), with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with locale
English_Canada.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980),
based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15,
with Gcrypt 1.6.2, with AirPcap 4.1.0 build 1622.
Intel(R) Core(TM) i7-5500U CPU @ 2.40GHz (with SSE4.2), with 7926MB of physical
memory.

Built using Microsoft Visual C++ 12.0 build 31101
___________________________________________________________________________
Sent via: Wireshark-dev mailing list \
                <wireshark-dev@wireshark.org<mailto:wireshark-dev@wireshark.org>>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe


[Attachment #3 (text/html)]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.9600.18231"></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=078574402-25032016><FONT color=#0000ff 
size=2 face=Arial>Thank you very much Michael.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=078574402-25032016><FONT color=#0000ff 
size=2 face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=078574402-25032016><FONT color=#0000ff 
size=2 face=Arial>That was exactly the issue.</FONT></SPAN></DIV><BR>
<DIV lang=en-us class=OutlookMessageHeader dir=ltr align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> wireshark-dev-bounces@wireshark.org 
[mailto:wireshark-dev-bounces@wireshark.org] <B>On Behalf Of </B>Michael 
Mann<BR><B>Sent:</B> March-24-16 5:09 PM<BR><B>To:</B> 
wireshark-dev@wireshark.org<BR><B>Subject:</B> Re: [Wireshark-dev] How is the 
protocol display filter name determined?<BR></FONT><BR></DIV>
<DIV></DIV><FONT color=black size=2 face=arial>
<DIV>The protocol display filter works like all filters. It has to be used in a 
proto_tree_add_xxx call to be&nbsp;used as a filter&nbsp; What you may be 
confused by is protocol identifier (proto_fapi) can also be passed like an hf_ 
field is.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Typically the first proto_tree_add_item call in a dissector is for the 
protocol.&nbsp; For example</DIV>
<DIV>&nbsp;</DIV>
<DIV>ti = proto_tree_add_item(tree, proto_fapi, tvb, 0, -1, ENC_NA)</DIV>
<DIV>subtree = proto_item_add_subtree(ti, ett_fapi)</DIV>
<DIV>&nbsp;</DIV>
<DIV>with all other tree items called using subtree.&nbsp; This is why it 
appears any packet involving the protocol works with the protocol filter.</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV 
style="FONT-SIZE: 10pt; FONT-FAMILY: arial,helvetica; COLOR: black">-----Original 
Message-----<BR>From: Michael Lum &lt;michael.lum@starsolutions.com&gt;<BR>To: 
wireshark-dev &lt;wireshark-dev@wireshark.org&gt;<BR>Sent: Thu, Mar 24, 2016 
6:27 pm<BR>Subject: [Wireshark-dev] How is the protocol display filter name 
determined?<BR><BR>
<DIV id=AOLMsgPart_1.2_6df4e82c-5a45-48e6-915a-36b3327e152b>
<DIV class=aolReplacedBody>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial>Hi,</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>I have a custom 
plugin building with the Wireshark 2.0.2 source on Windows 7, using 
cmake.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>For the most part 
the plugin works correctly.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>Display filters on 
particular items appear to work.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>However, when I try 
to use just the protocol name to filter I don't get any 
packets.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>But if I clear the 
display filter the packets are there.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>The protocol is 
called FAPI.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>This is used to 
register the protocol.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>&nbsp;&nbsp;&nbsp; 
proto_fapi = proto_register_protocol("FAPI", "FAPI", 
"fapi");</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>The packets come on 
a particular UDP port.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>If I start a capture 
I can see the packets and the PROTOCOL column says FAPI.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>When I enter "fapi" 
in the display filter field and hit apply everything 
disappears.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>A display filter 
likes this:</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial>fapi.FAPI_subFrameIndication_st.sf</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>works 
correctly.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>Any ideas on where I 
should look?</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>I've tried 
rebuilding everything from scratch but end up with the same 
results.</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>Thank 
you</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>From 
"About":</FONT></SPAN></DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 
face=Arial>===================================================================================</FONT></SPAN></DIV></SPAN></DIV>
 <DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>Version 
2.0.2-StarSolutions (SVN Rev Unknown from unknown)</FONT></SPAN></DIV>
<DIV><FONT size=2 face=Arial></FONT>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>Copyright 1998-2016 
Gerald Combs &lt;<A href="mailto:gerald@wireshark.org" 
target=_blank>gerald@wireshark.org</A>&gt; and contributors.<BR>License GPLv2+: 
GNU GPL version 2 or later &lt;<A 
href="http://www.gnu.org/licenses/old-licenses/gpl-2.0.html" 
target=_blank>http://www.gnu.org/licenses/old-licenses/gpl-2.0.html</A>&gt;<BR>This 
is free software; see the source for copying conditions. There is 
NO<BR>warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR 
PURPOSE.</FONT></SPAN></DIV>
<DIV><FONT size=2 face=Arial></FONT>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>Compiled (64-bit) 
with GTK+ 2.24.23, with Cairo 1.12.16, with Pango 1.36.8, with<BR>WinPcap 
(4_1_3), with libz 1.2.8, with GLib 2.42.0, with SMI 0.4.8, with 
c-ares<BR>1.9.1, with Lua 5.2, with GnuTLS 3.2.15, with Gcrypt 1.6.2, with MIT 
Kerberos,<BR>with GeoIP, with PortAudio V19-devel (built Mar 24 2016), with 
AirPcap.</FONT></SPAN></DIV>
<DIV><FONT size=2 face=Arial></FONT>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>Running on 64-bit 
Windows 7 Service Pack 1, build 7601, with locale<BR>English_Canada.1252, with 
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980),<BR>based on libpcap 
version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15,<BR>with Gcrypt 
1.6.2, with AirPcap 4.1.0 build 1622.<BR>Intel(R) Core(TM) i7-5500U CPU @ 
2.40GHz (with SSE4.2), with 7926MB of physical<BR>memory.</FONT></SPAN></DIV>
<DIV><FONT size=2 face=Arial></FONT>&nbsp;</DIV>
<DIV><SPAN class=537270122-24032016><FONT size=2 face=Arial>Built using 
Microsoft Visual C++ 12.0 build 
31101</FONT></SPAN></DIV></DIV></DIV>___________________________________________________________________________<BR>Sent \
                
via: Wireshark-dev mailing list &lt;<A 
href="mailto:wireshark-dev@wireshark.org">wireshark-dev@wireshark.org</A>&gt;<BR>Archives: \
 <A href="https://www.wireshark.org/lists/wireshark-dev" 
target=_blank>https://www.wireshark.org/lists/wireshark-dev</A><BR>Unsubscribe: 
<A href="https://wireshark.org/mailman/options/wireshark-dev" 
target=_blank>https://wireshark.org/mailman/options/wireshark-dev</A><BR><A 
href="mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe">mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe</A></DIV></FONT></BODY></HTML>




___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
--===============5527231904581065896==--

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic