Wireshark-dev: Re: [Wireshark-dev] Query on Field Registration
Hello I would like to clarify once again my query. I have no problems in
setting up trees and subtrees in dissect_fucntion(). Well let's say we have two messages Messages1 and Message2 with a common
field "Field" which in turn has one more subfields "subfield". So now in the present situation which I am aware of we register the
fields as;--- CASE1: &hf_protocol_Message1_Field_subfield, {
"Message1_Field_subfield", "Message1.Field.subfield", FT_UINT16,
BASE_DEC_HEX, NULL, 0x0, "Messagesubfield
",HFILL } } &hf_protocol_Message2_Field_subfield, {
"Message2_Field_subfield",
"Message2.Field.subfield", FT_UINT16,
BASE_DEC_HEX, NULL, 0x0, "Message
subfield ",HFILL } } But instead of doing this I register the fields and subfield separately
as:-- &hf_protocol_Field, CASE2: {
"Field",
"Field", FT_UINT16,
BASE_DEC_HEX, NULL, 0x0, "Field
",HFILL } } &hf_protocol_subField, {
"subField",
"subField", FT_UINT16,
BASE_DEC_HEX, NULL, 0x0, "subField
",HFILL } } And then in the dissect function I do formation of tree and subtree /*Tree for Field*/ Ti = proto_tree_add_item(tree, hf_protocol_Field, tvb, offset,size,
FALSE); subtree = proto_item_add_subtree( Ti, hf_protocol_Field); ti=proto_tree_add_item(subtree,hf_protocol_subField,tvb,offset,size,FALSE); so that in the details fashion it is displayed as Protocol+
Field+
subfield for message1 and message2. But when I go in the _expression_ window under the my Protocol it shows
as Protocol+
Field
Subfield Which I don’t want but rather I want it to be like:-- Protocol+ Field+ Subfield So that if user wants to select fetch all the messages having subfield
== X He should go in the _expression_ window and not put
Protocol.Field.subfield == X, but rather just go on hitting on the + buttons
and the subtree should appear below it and he can set the parameter for that
field and the wireshark will automatically form the _expression_ based on the
user selction of trees and subtrees so basically I don’t want to put Protocol.Field.subfield beforehand in the _expression_ window but rather
just firstly just Protocol will appear then on hitting + for protocol, Field
will apper and then on hittin + for Field subfield should appear and then user
can set subfield == x and in the _expression_ bar, automatically wireshark will
put the _expression_ Protocol.Field.subfield. I don’t know whether I was successfully able to put my point
across. Although I feel that this functionality is not present in Wireshark
otherwise for all other protocol the implementation would have been like that
which I cannot find like for tcp the _expression_ which appear is Tcp.flags.urg
etc. It appears as :--- But I wanted it to be like -tcp Srcport Destport Port -flags Cwr Ecn Thanks Hemant -----Original Message----- Hello Hemant, I'm still not sure what your trying to do. I'm sorry. Are you having trouble setting up the trees and subtrees? Or do you want to, when searching for a particular message type, just display those trees relating to your search? That I don't think is possible unless you add more code. Wireshark won't just do that automatically. martin -----Original Message----- From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Kumar, Hemant Sent: Thursday, July 03, 2008 1:31 PM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Query on Field Registration Thanks Martin and Abhik!! For the replies. But what I am actually looking for is when the user goes for setting subfields type so as to filter messages of his interest, he should see
a tree structure with subfields beneath the main field. That is for example for tcp it should not appear as Tcp.flags.cwr Tcp.flags.ecn Tcp.flags.urg Tcp.flags.ack and so on rather it should appear as Tcp+ Flags+ cwr ecn urg ack By clicking on the + the subtree should appear So I don't want to register fields like ged125.service_control rather Just register Service control which is going to be common to several other messages separately and then relate it to those messages in the dissect_function()while feeding the information from tvb_buffer in to the field. Ofcourse , this is possible but then in the _expression_ window simply appears service_control and ged125+
Service_control. Please shed some light on this aspect whether it is possible to this is wireshark. Thanks Hemant -----Original Message----- From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Martin Corraine (mcorrain) Sent: Thursday, July 03, 2008 5:28 AM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Query on Field Registration Hello Hemant, The ged125 protocol that I'm finishing right now has a lot of sub-messages. I would create a field registration of this message type that has several sub messages below it. So, for instance I can search "ged125.service_control" for all those messages. Now, if I
want to search for a particular service control I can search by doing this "ged125.service_control == 20". Below is the field
registration. All the various sub-types are in a value_string array. Hope this helps.
{ &hf_ged125_service_control_MessageSubvalue,
{ "Message value", "ged125.service_control", FT_UINT32, BASE_DEC, VALS(vals_service_control_message_subvalues), 0x0, "Sub-Service Control
Message value", HFILL }} -Martin -----Original Message----- From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Abhik Sarkar Sent: Thursday, July 03, 2008 2:26 AM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Query on Field Registration Hi Hemant, As far as I know nesting of header fields is not possible... check out epan/proto.h where the field info structures are defined. What you
could do is something like have: hf_message_type hf_field1 hf_field2 Then, the display filter would be "message.type==1 &&
field1.value==X" or "message.type==2 && field1.value==X). You can then (in
the protocol tree) next the fields under message types by using subtrees... This is done for the protocol I am most familiar with (SMPP) and you can check in packet-smpp.c how the common DCS field is handled in a submit_sm and a data_sm. HTH Abhik On Thu, Jul 3, 2008 at 4:23 AM, Kumar, Hemant
<kumarh@xxxxxxxxxxxx> wrote: > Hello > > Another query that has surfaced up while doing the design
for dissector module is , whether there is a concept of tree and subtree while registration of the fields? > > Actually, I have a set of messages and all of them have a common
field > which again contains subfields. So under the current situation for > registration of fields > > I have to register the same field again and again for different > messages with different names like > > > > Message1.field1.field2 > > Message2.field1.field2 and so . > > > > So that in the _expression_ window user should not get confused with
a common parameter for all the messages. > > > > Is there any way out so that in the _expression_ window when the
user wants to set some parameter for field2 so as to collect only message 1
, he should be able to see a tree under message1 and and then again a subtree for field1 ,whose branch contains a set of parameters including field2 and so on and appropriately set the required parameter for
a particular message. > > If there is a way out then I will be able to share a common
dissect > function for a particular field tyoe across all the messages
otherwise > I have to register > > Customized fields for various messages and also have to write > customized dissectors with the customized variables for particular > message type.In this way > > For the same field in different messages I have to write several instances of the same function containing different names of the fields and subfield which are actually the one and same. > > > > Any help will be highly appreciated. > > > > Thanks > > Hemant > > > -----Original Message----- > From: wireshark-dev-bounces@xxxxxxxxxxxxx > [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy
Harris > Sent: Wednesday, July 02, 2008 11:09 AM > To: Developer support list for Wireshark > Subject: Re: [Wireshark-dev] Query on Field Registration > > Kumar, Hemant wrote: > >> I just wanted to put up one query regarding field registration
in >> packet-xx.c .Is there any limit on the number of fields which
we can >> register? > > No. > _______________________________________________ > Wireshark-dev mailing list > Wireshark-dev@xxxxxxxxxxxxx > https://wireshark.org/mailman/listinfo/wireshark-dev > _______________________________________________ > Wireshark-dev mailing list > Wireshark-dev@xxxxxxxxxxxxx > https://wireshark.org/mailman/listinfo/wireshark-dev > _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-dev _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-dev _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-dev _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-dev |
- Follow-Ups:
- Re: [Wireshark-dev] Query on Field Registration
- From: Martin Corraine (mcorrain)
- Re: [Wireshark-dev] Query on Field Registration
- From: Abhik Sarkar
- Re: [Wireshark-dev] Query on Field Registration
- References:
- [Wireshark-dev] Query on Field Registration
- From: Kumar, Hemant
- Re: [Wireshark-dev] Query on Field Registration
- From: Guy Harris
- Re: [Wireshark-dev] Query on Field Registration
- From: Kumar, Hemant
- Re: [Wireshark-dev] Query on Field Registration
- From: Abhik Sarkar
- Re: [Wireshark-dev] Query on Field Registration
- From: Martin Corraine (mcorrain)
- Re: [Wireshark-dev] Query on Field Registration
- From: Kumar, Hemant
- Re: [Wireshark-dev] Query on Field Registration
- From: Martin Corraine (mcorrain)
- [Wireshark-dev] Query on Field Registration
- Prev by Date: Re: [Wireshark-dev] Query on Field Registration
- Next by Date: Re: [Wireshark-dev] Query on Field Registration
- Previous by thread: Re: [Wireshark-dev] Query on Field Registration
- Next by thread: Re: [Wireshark-dev] Query on Field Registration
- Index(es):