Skip to content
An execution engine for Wireshark-like filters
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.cargo Add project-wide warning for new idioms Nov 28, 2018
engine FW-1088: add execution test for optional arguments in functions Mar 19, 2019
ffi FW-945+FW-946: add function support Mar 19, 2019
wasm Release 0.6.1 Mar 4, 2019
.gitignore
.travis.yml
Cargo.lock Release 0.6.1 Mar 4, 2019
Cargo.toml Add initial version of WASM crate Nov 22, 2018
LICENSE
README.md Move README.md into engine crate Feb 26, 2019
cfsetup-cargo.sh EGS-1186: Add WASM targets to cfsetup Nov 30, 2018
cfsetup.yaml
rust-toolchain
rustfmt.toml Fix docs and reformat comments Feb 25, 2019

README.md

Wirefilter

Build status Crates.io License

This is an execution engine for Wireshark®-like filters.

It contains public APIs for parsing filter syntax, compiling them into an executable IR and, finally, executing filters against provided values.

Example

use wirefilter::{ExecutionContext, Scheme, Type};

fn main() -> Result<(), failure::Error> {
    // Create a map of possible filter fields.
    let scheme = Scheme! {
        http.method: Bytes,
        http.ua: Bytes,
        port: Int,
    };

    // Parse a Wireshark-like expression into an AST.
    let ast = scheme.parse(r#"
        http.method != "POST" &&
        not http.ua matches "(googlebot|facebook)" &&
        port in {80 443}
    "#)?;

    println!("Parsed filter representation: {:?}", ast);

    // Compile the AST into an executable filter.
    let filter = ast.compile();

    // Set runtime field values to test the filter against.
    let mut ctx = ExecutionContext::new(&scheme);

    ctx.set_field_value("http.method", "GET")?;

    ctx.set_field_value(
        "http.ua",
        "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0",
    )?;

    ctx.set_field_value("port", 443)?;

    // Execute the filter with given runtime values.
    println!("Filter matches: {:?}", filter.execute(&ctx)?); // true

    // Amend one of the runtime values and execute the filter again.
    ctx.set_field_value("port", 8080)?;

    println!("Filter matches: {:?}", filter.execute(&ctx)?); // false

    Ok(())
}

Licensing

Licensed under the MIT license. See the LICENSE file for details.

You can’t perform that action at this time.