1 个不稳定版本
使用旧的Rust 2015
| 0.6.1 | 2019年3月4日 |
|---|
#12 in #wireshark
每月下载量 39
100KB
2.5K SLoC
Wirefilter
这是一个用于Wireshark-like过滤器的执行引擎。
它包含用于解析过滤器语法、将它们编译成可执行IR以及最终执行提供值的公共API。
示例
use wirefilter::{ExecutionContext, Scheme, Type};
fn main() -> Result<(), failure::Error> {
// Create a map of possible filter fields.
let scheme = Scheme! {
http.method: Bytes,
http.ua: Bytes,
port: Int,
};
// Parse a Wireshark-like expression into an AST.
let ast = scheme.parse(r#"
http.method != "POST" &&
not http.ua matches "(googlebot|facebook)" &&
port in {80 443}
"#)?;
println!("Parsed filter representation: {:?}", ast);
// Compile the AST into an executable filter.
let filter = ast.compile();
// Set runtime field values to test the filter against.
let mut ctx = ExecutionContext::new(&scheme);
ctx.set_field_value("http.method", "GET")?;
ctx.set_field_value(
"http.ua",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0",
)?;
ctx.set_field_value("port", 443)?;
// Execute the filter with given runtime values.
println!("Filter matches: {:?}", filter.execute(&ctx)?); // true
// Amend one of the runtime values and execute the filter again.
ctx.set_field_value("port", 8080)?;
println!("Filter matches: {:?}", filter.execute(&ctx)?); // false
Ok(())
}
许可
MIT许可证下发布。有关详细信息,请参阅LICENSE文件。
依赖关系
~3.5–5.5MB
~100K SLoC