diff options
| author | John Thacker <johnthacker@gmail.com> | 2024-02-07 21:13:23 -0500 |
|---|---|---|
| committer | AndersBroman <a.broman58@gmail.com> | 2024-02-14 08:11:01 +0000 |
| commit | 49540ec646333d92ab4d54fbdc7a0692a3339d1a (patch) | |
| tree | 528af3ae97545273a10da857d89630a3706e9ae6 /doc/release-notes.adoc | |
| parent | 19904e94aecd50c44ea5abaf9881979bd6554afa (diff) | |
columns: Allow any field expression syntax to be used in columns
Allow anything that can be used in a display filter to be used in
columns (with the exception that field references don't work without
a notion of a currently selected frame): display filter functions,
slices, arithmetic calculations, logical tests, raw byte addressing,
the layer modifier, display filter macros, etc., alone or in
combination.
Show the results and generate filters. Note that "resolved" values are
not yet supported. They make conceptual sense for some expressions
(e.g., if the layer modifier only is used) but not for others.
Perhaps resolution could be done as a final step in the filter before
returning values.
It would also be useful to be able to get the expected return type
of an expression, so that the functions for right justifying a column
or sorting numerically could work. Right now the results are treated
as strings even if the return field values are numeric.
Multifield columns (i.e., concatenation of field values) are currently
implemented using the OR operator.For backwards compability, continue to
support that. When a true logical OR would give a different result,
surround the expression in parentheses, which the multifield columns did
not previously support (due to the regex used instead of full filter
grammar parsing.)
Perhaps in the future we should introduce a separate operator for
concatenation, possibly only used in column definitions and nowhere
else.
Update release notes.
Fix #7752. Fix #10154. Fix #15990. Fix #18588. Fix #19076.
Related to #16181 - it's now possibly to define new display filter
functions so that is essentially solved, though I suppose there's
always room for more built-in functions.
Diffstat (limited to 'doc/release-notes.adoc')
| -rw-r--r-- | doc/release-notes.adoc | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/doc/release-notes.adoc b/doc/release-notes.adoc index eba9950c74..185883d6ca 100644 --- a/doc/release-notes.adoc +++ b/doc/release-notes.adoc @@ -27,6 +27,10 @@ Display filter functions can be implemented as runtime-loadable C plugins. Plugin registration API was refactored. Plugin authors must update their plugins as described below. +Custom columns can be defined using any valid field expression, such as +display filter functions, slices, arithmetic calculations, logical tests, +raw byte addressing, and the layer modifier. + Many other improvements have been made. See the “New and Updated Features” section below for more details. @@ -97,6 +101,42 @@ The following features are new (or have been significantly updated) since versio but it is advisable to check that the "dfilter_macros" (old) and "dmacros" (new) files in the profile directory are consistent. +* Custom columns can be defined using any valid field expression: + + ** Display filter functions, like `len(tcp.payload)`, including nested functions + like `min(len(tcp.payload), len(udp.payload)` and newly defined functions + using the plugin system mentioned above. wsbuglink:15990[] wsbuglink:16181[] + + ** Arithmetic calculations, like `ip.len * 8` or `tcp.srcport + tcp.dstport`. + wsbuglink:7752[] + + ** Slices, like `tcp.payload[4:4]`. wsbuglink:10154[] + + ** The layer operator, like `ip.proto#1` to return the proto field in the + first IPv4 layer if there is tunneling. wsbuglink:18588[] + + ** Raw byte addressing, like `@ip`, useful to return the bytes of a protocol + or FT_NONE field, among others. wsbuglink:19076[] + + ** Logical tests, like `tcp.port == 443`, which produce a check mark if + the test matches (similar to protocol and none fields without `@`.) + This works with all logical operators, including e.g. regular expression + matching (`matches` or `~`.) + + ** Defined display filter macros. + + ** Any combination of the above also works. + + ** Multifield columns are still available. For backwards compatiblity, + `X or Y` is interpreted as a multifield column as before. To represent a + logical test for the presence of multiple fields instead of concatenating + values, use parenthesis, like `(tcp.options.timestamp or tcp.options.nop`. + + ** Field references are not implemented, because there's no sense of a + currently selected frame. "Resolved" column values (such as host name + resolution or value string lookup) are not supported for any of the new + expressions yet. + * When selecting "Manage Interfaces" from "Capture Options", Wireshark only attempts to reconnect to rpcap (remote) hosts that were connected to in the last session, instead of every remote host that the current profile has ever |