Wirefilter
This is an execution engine for Wireshark®-like filters.
It contains public APIs for parsing filter syntax, compiling them into
an executable IR and, finally, executing filters against provided values.
Example
use wirefilter::{ExecutionContext, Scheme, Type};
fn main() -> Result<(), failure::Error> {
let scheme = Scheme! {
http.method: Bytes,
http.ua: Bytes,
port: Int,
};
let ast = scheme.parse(r#"
http.method != "POST" &&
not http.ua matches "(googlebot|facebook)" &&
port in {80 443}
"#)?;
println!("Parsed filter representation: {:?}", ast);
let filter = ast.compile();
let mut ctx = ExecutionContext::new(&scheme);
ctx.set_field_value("http.method", "GET")?;
ctx.set_field_value(
"http.ua",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0",
)?;
ctx.set_field_value("port", 443)?;
println!("Filter matches: {:?}", filter.execute(&ctx)?);
ctx.set_field_value("port", 8080)?;
println!("Filter matches: {:?}", filter.execute(&ctx)?);
Ok(())
}
Licensing
Licensed under the MIT license. See the LICENSE file for details.