Skip to content

epan: Register columns fields and make them filterable (dynamic version)

Make the text of each column a FT_STRING field that can be filtered, prefixed with _ws.col - these work in display filters, filters in taps, coloring rules, Wireshark read filters, and in the -Y, -R, and -e options to tshark. Use them as the default "Apply as Filter" value for the columns that aren't handled by anything else currently.

Because only the columns formats that actually correspond to columns get filled in (invisible columns work), register and deregister the fields when the columns change.

Currently the field name is based on the column title - but column titles can have characters not allowed in fields, including spaces and a trailing period (the default No.), and all illegal characters are replaced with _. That doesn't work so well if some has non-English column names.

This adds a number of conditions to "when are the columns needed", including when the main display filter or any filter on a tap is using one of these fields. For custom columns, the tree then has to be further primed with any fields used by the custom columns as well.

Thus for custom columns, or for a number of built-in columns, you're better off for performance reasons matching the ordinary field; it takes extra time to generate the columns and many of them are numeric types. (Note that you can always convert a non-string field to a string field if you want regex matching, consult the wireshark-filter(4) man page.) It does save a bit on typing (especially for a multifield custom column) and remembering the column title might be easier in some cases.

The columns are set before the color filters, which means that you can have a color filter that depends on a built-in column like Info or Protocol. Conversely, you can't filter on the color filter fields with a _ws.col.Custom field, but you can filter on frame.coloring_rule.name directly, so that doesn't matter.

The output format for -T fields remains the same; all that special handling is removed (except for remembering if someone asked for a column field to know that columns should be constructed.)

They're also set before the postdissectors, so postdissectors can have access.

Anything that depends on "the last packet displayed" (COL_DELTA_TIME_DIS or COL_CUMULATIVE_BYTES) doesn't work the way most people expect, for different reasons. The same is already true of color filters that use those (along with color filters that use the color filter fields.)

Fix #16576 (closed). Fix #17971 (closed). Fix #4684 (closed). Fix #13491 (closed). Fix #13941 (closed).

Edited by John Thacker

Merge request reports