Skip to content
An execution engine for Wireshark-like filters
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.cargo Add project-wide warning for new idioms Nov 28, 2018
engine FW-1088: add execution test for optional arguments in functions Mar 19, 2019
ffi FW-945+FW-946: add function support Mar 19, 2019
wasm Release 0.6.1 Mar 4, 2019
Cargo.lock Release 0.6.1 Mar 4, 2019
Cargo.toml Add initial version of WASM crate Nov 22, 2018
LICENSE Move into engine crate Feb 26, 2019 EGS-1186: Add WASM targets to cfsetup Nov 30, 2018
rustfmt.toml Fix docs and reformat comments Feb 25, 2019


Build status License

This is an execution engine for Wireshark®-like filters.

It contains public APIs for parsing filter syntax, compiling them into an executable IR and, finally, executing filters against provided values.


use wirefilter::{ExecutionContext, Scheme, Type};

fn main() -> Result<(), failure::Error> {
    // Create a map of possible filter fields.
    let scheme = Scheme! {
        http.method: Bytes, Bytes,
        port: Int,

    // Parse a Wireshark-like expression into an AST.
    let ast = scheme.parse(r#"
        http.method != "POST" &&
        not matches "(googlebot|facebook)" &&
        port in {80 443}

    println!("Parsed filter representation: {:?}", ast);

    // Compile the AST into an executable filter.
    let filter = ast.compile();

    // Set runtime field values to test the filter against.
    let mut ctx = ExecutionContext::new(&scheme);

    ctx.set_field_value("http.method", "GET")?;

        "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0",

    ctx.set_field_value("port", 443)?;

    // Execute the filter with given runtime values.
    println!("Filter matches: {:?}", filter.execute(&ctx)?); // true

    // Amend one of the runtime values and execute the filter again.
    ctx.set_field_value("port", 8080)?;

    println!("Filter matches: {:?}", filter.execute(&ctx)?); // false



Licensed under the MIT license. See the LICENSE file for details.

You can’t perform that action at this time.