Can't have multiple != conditions on same field in filter
Retina's filter validation marks multiple conditions on the same protocol.field as "duplicate pattern". This mistakenly marks patterns like "tcp.port != 80 and tcp.port != 100" as invalid filters.
Checking for duplicate or incompatible patterns may still be valuable, so this would ideally change/correct how fq_pattern.has_duplicate_fields() is calculated.
Can't filter on boolean packet fields
For example, "tcp.syn" doesn't filter for syn packets as it would in Wireshark, because filter language requires that fields have values. Alternate solutions: could add "true" to filter language (e.g. "tcp.syn = true") or change packet values to return ints (e.g., syn() returns 1).
Retina's filter validation marks multiple conditions on the same protocol.field as "duplicate pattern". This mistakenly marks patterns like "tcp.port != 80 and tcp.port != 100" as invalid filters.
Checking for duplicate or incompatible patterns may still be valuable, so this would ideally change/correct how
fq_pattern.has_duplicate_fields()is calculated.For example, "tcp.syn" doesn't filter for syn packets as it would in Wireshark, because filter language requires that fields have values. Alternate solutions: could add "true" to filter language (e.g. "tcp.syn = true") or change packet values to return ints (e.g., syn() returns 1).