kfor...@nhhancocks.net wrote:
> I think I'm missing something pretty basic on dissectors around reusing
> subsets of a protocol vs. the need to enumerate everything in the hf[]
> array.
[...]
> and I'd just parse through field-by-field, however this gets incredibly
> unwieldy as the number of messages and reuse of structures increases.
> What I want to do:
>
> proto_tree_add_item(hf_foo_type, ..);
> switch (message)
> {
> case init:
> proto_tree_add_item(hf_foo_init_count, ...);
> foo_add_payload(...);
> break;
> case send:
> proto_tree_add_item(hf_foo_send_index, ...);
> foo_add_payload(...);
> break; }
>
> When I want to filter messages for a specific payload length, I'd want
> to be able to search for foo.init.payload.length or
> foo.send.payload.length -- but I'm not sure how the payload.length gets
> added to the parent tree.
Well, if you want 2 different filters ("foo.init.payload.length" and
"foo.send.payload.length") then you'll need 2 hf_ entries. How you do
that is up to you; following the above code you could pass the message
type down to foo_add_payload() and switch on the message type again or
else pass in the hf_ entry(ies) to be used in add_payload, e.g.:
case send:
proto_tree_add_item(hf_foo_send_index, ...);
foo_add_payload(hf_foo_send_payload_length, ...);
That gets unwieldy too, of course.
In my experience a better approach is to leave the user in control: if
they want to filter on payload length then they use
"foo.payload.length". If they want to only filter on "send" payload
lengths then they do "foo.type==send && foo.payload.length==<whatever>".
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
