RE: [ethereal-dev] Proposing some ethereal projects ...

[Jeff Foster <jfoste@xxxxxxxxxxxx>]

First let me state that the fact that ethereal could colorize packets was 
highly praised at DefCon 2000.

> Jeff Foster wrote:
> > 
> > I understand that the color filters in general need to have the UI
> > improved.  
> 
> I wrote them and I agree wholeheartedly.  The UI was just an easy way to
> get things started.
> 
> >           But I think that popping the standard color dialog in the
> > packet list right click  'Colorize Display' option is wrong.  I expect
> > a simpler dialog that will colorize the top level protocol for that
> > packet.  For example if the packet selected is SMB, the filter dialog
> 
> > I disagree here, though.  You may want to colorize top level protocols,
> > but for me that is fairly uncommon: I wan to colorize layer 3/4 stuff
> > when I'm teaching (green arp, red tcp, blue udp, etc) or specific
> > traffic (orange DNS responses from 10.4.0.2) when I'm debugging.
> > 
> > would already have a filter name, for example the top protocol name,
> > the filter text would be set to the top level protocol,  and the user
> > would just enter the foreground and background color information.

> I like the idea and it would be simple to use, but I don't think "top
> level protocol" is necessarily the right thing to put in there as the
> filter or name.  I thought of making a name out of the protocols, but
> when I entered complex filters, generating the names was difficult.

Not to pick nits, but in my mind arp is a top level protocol.  I don't
mean the top of the protocol stack when I say 'top level protocol', I'm
refering to the highest protocol on the stack that ethereal decoded for
the packet.  This is just short cut is a quick and dirty "I want to
highlite protocol - XXX". 


> Maybe we need some way to select the important features of a packet. 
> One option might be to use a method similar to Match Selected, but
> allowing selection of multiple fields (or can we do that and I just
> can't figure out how?).  That puts a filter in the display filter dialog
> which could instead be put into the colorization filter dialog with
> either a bogus name or no name.  If no field is selected (as is the case
> now), no filter would be entered in colorize's filter dialog and the
> user could supply one.  This would allow both the current behavior and
> your desired behavior.

> I'm just back from out of the country so I don't have time to make the
> change now, but it could be made in two phases:
>
> 1) put the current selected packet field (if any) into the colorize
> dialog for the filter

I like this idea. 

> 2) (if necessary) extend the field selection to multiple fields

Sounds hard. Something that extends beyond just colorize packets to
complex filtering of packets based upon multiple fields and multi-selects
in GTK. 

My main point is that if I really want a complex filter go the the Edit->
Filters menu to do it.  The right click short cut is a short cut to a 
simpler filter that doesn't require the user to understand the details
of writing a filter. Please no flames about (L)users.


Jeff Foster
jfoste@xxxxxxxxxxxx