Display Filter Macros

Macros allow you to save on typing complex filter expressions.

Lets's say we have a macro named tcp_ses defined as "(ip.addr eq $1 and ip.addr eq $2) and (tcp.port eq $3 and tcp.port eq $4)". Entering "$tcp_ses{10.10.10.10, 10.0.0.1, 1234, 4567} " would be equivalent to entering "(ip.addr eq 10.10.10.10 and ip.addr eq 10.0.0.1) and (tcp.port eq 1234 and tcp.port eq 4567)" into the display filter box.

Macros are resolved when the filter is entered, before it is compiled.

Spaces in the macro expression in the filter will be expanded into the filter.

/!\ If there is a syntax error caused by the use of a macro the error will not refer to the macro but to the expanded text.

Examples

tcp_ses
( (ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4) or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3) )
net10
10.0.0.0/8
dot_org
$1.org

ip.addr == ${net10} becomes ip.addr == 10.0.0.0/8

 http.host == "${dot_org:www.wireshark}"  becomes  http.host == "www.wireshark.org"  but be aware that  http.host == "${dot_org: www.wireshark }"  becomes  http.host == " www.wireshark .org"  which is probably not what you want.

DFilterMacro (last edited 2008-04-12 17:50:40 by localhost)