THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is there a limitation in the filter length

Hi all! Is there any kind of limitation when it comes to filters (also color filters)? Thanks to MS I currently have a filter with more than 18k chars. Wireshark is not complaining but I'd like to make sure nothing get's lost.... Cheers Andreas

anothershark's avatar
1
anothershark
asked 2020-04-24 16:50:29 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

A "vintage" answer from 2012.

There is the dftest command for testing display filters.

Shell script to make a long test filter. 

#!/bin/sh

# chuckc - Fri Apr 24 14:53:58 CDT 2020
# Make a very long display filter

echo -n "(ip or tcp or udp or "

INDEX=0
while [ $INDEX -lt 1000 ]
do
echo -n "frame contains \"$INDEX data: 123456789abcdefghijklmnopqrstuvwxyz\" or "
    INDEX=`expr $INDEX + 1`
done

echo "frame contains \"$INDEX EOF: 123456789abcdefghijklmnopqrstuvwxyz\")"

Save output to a file then read into dftest:

$ ./make_dfilter_long > dfilter.long
$ dftest `cat ./dfilter.long` | tail -10
04000 ANY_CONTAINS      reg#0 contains reg#999
04001 IF-TRUE-GOTO      4009
04002 READ_TREE         frame -> reg#0
04003 IF-FALSE-GOTO     4009
04004 ANY_CONTAINS      reg#0 contains reg#1000
04005 IF-TRUE-GOTO      4009
04006 READ_TREE         frame -> reg#0
04007 IF-FALSE-GOTO     4009
04008 ANY_CONTAINS      reg#0 contains reg#1001
04009 RETURN
$
Chuckc's avatar
3k
Chuckc
answered 2020-04-24 20:20:35 +0000, updated 2020-04-24 20:55:30 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hi Bubba, thnx for the answer but it refers to an 8y old version and there have been some more in the meanwhile and I don't want to guess if this is still true or not.

Is there anyone from the Devel side who could let me know about the STRG-VAR-Side?

I'm also coding but not C(++) so I don't know anything about the Size of the Var used and how this is handled in WS.

As mentioned before I do not see any complains from WS but I need to to be sure that the whole String get's evaluated.

Not being on the safe side means not knowing anything - and guessing is unacceptable, especially when it comes to deep dives.

Many Thanks!

Cheers Andreas

anothershark's avatar anothershark (2020-04-24 21:02:36 +0000) edit
more
  • delete

Doesn't seem to be a fixed array length - grow buffer if not big enough.

ui/filter_files.c
    -------------------------
    if (filt_expr_index >= filt_expr_len) {
    /* Filter expressioin buffer isn't long enough; double its length. */
      filt_expr_len *= 2;
      filt_expr = (char *)g_realloc(filt_expr, filt_expr_len + 1)
    }
Chuckc's avatar Chuckc (2020-04-24 21:04:45 +0000) edit
more
  • delete

Source is available here

Chuckc's avatar Chuckc (2020-04-24 21:09:05 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer