Wireshark-dev: Re: [Wireshark-dev] Query on Field Registration
As far as I know, you can't do that very easily. If anyone
understands how that "expressions" tree is step up, you might be able to add
those subtrees. A possible work around where you wouldn't need such a set
up would be my suggestion earlier. Don't register all the sub message types. Put
these in a value_string array. In place of NULL, add VALS(value_string),
where value_string is an array of structures.
-martin From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Kumar, Hemant Sent: Thursday, July 03, 2008 3:09 PM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Query on Field Registration Hello I would like to clarify once again my query. I have no
problems in setting up trees and subtrees in
dissect_fucntion(). Well let's say we have two messages Messages1 and
Message2 with a common field "Field" which in turn has one more subfields
"subfield". So now in the present situation which I am aware of we
register the fields as;---
CASE1:
&hf_protocol_Message1_Field_subfield,
{
"Message1_Field_subfield",
"Message1.Field.subfield",
FT_UINT16, BASE_DEC_HEX, NULL, 0x0,
"Messagesubfield ",HFILL }
}
&hf_protocol_Message2_Field_subfield,
{
"Message2_Field_subfield",
"Message2.Field.subfield",
FT_UINT16, BASE_DEC_HEX, NULL, 0x0,
"Message subfield ",HFILL }
} But instead of doing this I register the fields and
subfield separately as:--
&hf_protocol_Field,
CASE2: {
"Field",
"Field",
FT_UINT16, BASE_DEC_HEX, NULL, 0x0,
"Field ",HFILL }
}
&hf_protocol_subField,
{
"subField",
"subField",
FT_UINT16, BASE_DEC_HEX, NULL, 0x0,
"subField ",HFILL }
} And then in the dissect function I do formation of tree
and subtree /*Tree for Field*/
Ti = proto_tree_add_item(tree, hf_protocol_Field, tvb,
offset,size, FALSE); subtree = proto_item_add_subtree( Ti,
hf_protocol_Field);
ti=proto_tree_add_item(subtree,hf_protocol_subField,tvb,offset,size,FALSE);
so that in the details fashion it is displayed as
Protocol+
Field+
subfield
for message1 and message2. But when I go in the _expression_ window under the my
Protocol it shows as
Protocol+
Field
Subfield Which I don’t want but rather I want it to be
like:-- Protocol+
Field+
Subfield
So that if user wants to select fetch all the messages
having subfield == X He should go in the _expression_ window and not put
Protocol.Field.subfield == X, but rather just go on hitting on the + buttons and
the subtree should appear below it and he can set the parameter for that field
and the wireshark will automatically form the _expression_ based on the user
selction of trees and subtrees so basically I don’t want to put
Protocol.Field.subfield beforehand in the _expression_
window but rather just firstly just Protocol will appear then on hitting + for
protocol, Field will apper and then on hittin + for Field subfield should appear
and then user can set subfield == x and in the _expression_ bar, automatically
wireshark will put the _expression_
Protocol.Field.subfield. I don’t know whether I was successfully able to put my
point across. Although I feel that this functionality is not present
in Wireshark otherwise for all other protocol the implementation would have been
like that which I cannot find like for tcp the _expression_ which appear is
Tcp.flags.urg etc. It appears as :---
But I wanted it to be like
-tcp
Srcport
Destport
Port
-flags
Cwr
Ecn Thanks Hemant -----Original Message----- Hello Hemant, I'm still not sure what your trying to do. I'm sorry.
Are you having trouble setting up the trees and subtrees? Or do you
want to, when searching for a particular message type, just display
those trees relating to your search? That I don't think is possible
unless you add more code. Wireshark won't just do that
automatically. martin -----Original Message----- From:
wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf
Of Kumar, Hemant Sent: Thursday, July 03, 2008 1:31
PM To: Developer support list for
Wireshark Subject: Re: [Wireshark-dev] Query on Field
Registration Thanks Martin and Abhik!! For the
replies. But what I am actually looking for is when the user goes
for setting subfields type so as to filter messages of his interest,
he should see a tree structure with subfields beneath the main
field. That is for example for tcp it should not appear as
Tcp.flags.cwr Tcp.flags.ecn Tcp.flags.urg Tcp.flags.ack and so on
rather it should appear as Tcp+ Flags+
cwr
ecn
urg
ack By clicking on the + the subtree should
appear So I don't want to register fields like
ged125.service_control rather Just register Service control which is going to be
common to several other messages separately and then relate it to those
messages in the dissect_function()while feeding the information from
tvb_buffer in to the field. Ofcourse , this is possible but then in
the _expression_ window simply appears service_control and
ged125+
Service_control. Please shed some light on this aspect whether it is
possible to this is wireshark. Thanks Hemant -----Original Message----- From:
wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf
Of Martin Corraine (mcorrain) Sent: Thursday, July 03, 2008 5:28
AM To: Developer support list for
Wireshark Subject: Re: [Wireshark-dev] Query on Field
Registration Hello Hemant, The ged125 protocol that I'm finishing right now has a
lot of sub-messages. I would create a field registration of
this message type that has several sub messages below it. So, for instance
I can search "ged125.service_control" for all those messages. Now, if
I want to search for a particular service control I can search by
doing this "ged125.service_control == 20". Below is the field
registration. All the various sub-types are in a value_string array. Hope this
helps.
{ &hf_ged125_service_control_MessageSubvalue,
{ "Message value", "ged125.service_control",
FT_UINT32, BASE_DEC, VALS(vals_service_control_message_subvalues),
0x0, "Sub-Service
Control Message value", HFILL }} -Martin -----Original Message----- From:
wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf
Of Abhik Sarkar Sent: Thursday, July 03, 2008 2:26
AM To: Developer support list for
Wireshark Subject: Re: [Wireshark-dev] Query on Field
Registration Hi Hemant, As far as I know nesting of header fields is not
possible... check out epan/proto.h where the field info structures are
defined. What you could do is something like have: hf_message_type hf_field1 hf_field2 Then, the display filter would be "message.type==1
&& field1.value==X" or "message.type==2 && field1.value==X). You can
then (in the protocol tree) next the fields under message types by using
subtrees... This is done for the protocol I am most familiar with (SMPP) and
you can check in packet-smpp.c how the common DCS field is handled in
a submit_sm and a data_sm. HTH Abhik On Thu, Jul 3, 2008 at 4:23 AM, Kumar, Hemant
<kumarh@xxxxxxxxxxxx> wrote: > Hello > > Another query that has surfaced up while
doing the design for dissector module is , whether there is a concept of tree
and subtree while registration of the
fields? > > Actually, I have a set of messages and all of them
have a common field > which again contains subfields. So under the
current situation for > registration of fields > > I have to register the same field again and again
for different > messages with different names
like > > > > Message1.field1.field2 > > Message2.field1.field2 and so
. > > > > So that in the _expression_ window user should not
get confused with a common parameter for all the
messages. > > > > Is there any way out so that in the _expression_
window when the user wants to set some parameter for field2 so as to collect
only message 1 , he should be able to see a tree under message1 and and
then again a subtree for field1 ,whose branch contains a set of
parameters including field2 and so on and appropriately set the
required parameter for a particular message. > > If there is a way out then I will be able to share
a common dissect > function for a particular field tyoe across all the
messages otherwise > I have to register > > Customized fields for various messages and also
have to write > customized dissectors with the customized variables
for particular > message type.In this
way > > For the same field in different messages I have to
write several instances of the same function containing different
names of the fields and subfield which are actually the one and
same. > > > > Any help will be highly
appreciated. > > > > Thanks > > Hemant > > > -----Original
Message----- > From:
wireshark-dev-bounces@xxxxxxxxxxxxx > [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On
Behalf Of Guy Harris > Sent: Wednesday, July 02, 2008 11:09
AM > To: Developer support list for
Wireshark > Subject: Re: [Wireshark-dev] Query on Field
Registration > > Kumar, Hemant wrote: > >> I just wanted to put up one query regarding
field registration in >> packet-xx.c .Is there any limit on the number
of fields which we can >> register? > > No. >
_______________________________________________ > Wireshark-dev mailing
list >
Wireshark-dev@xxxxxxxxxxxxx >
https://wireshark.org/mailman/listinfo/wireshark-dev >
_______________________________________________ > Wireshark-dev mailing
list >
Wireshark-dev@xxxxxxxxxxxxx >
https://wireshark.org/mailman/listinfo/wireshark-dev > _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-dev _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-dev _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-dev _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-dev |
- References:
- [Wireshark-dev] Query on Field Registration
- From: Kumar, Hemant
- Re: [Wireshark-dev] Query on Field Registration
- From: Guy Harris
- Re: [Wireshark-dev] Query on Field Registration
- From: Kumar, Hemant
- Re: [Wireshark-dev] Query on Field Registration
- From: Abhik Sarkar
- Re: [Wireshark-dev] Query on Field Registration
- From: Martin Corraine (mcorrain)
- Re: [Wireshark-dev] Query on Field Registration
- From: Kumar, Hemant
- Re: [Wireshark-dev] Query on Field Registration
- From: Martin Corraine (mcorrain)
- Re: [Wireshark-dev] Query on Field Registration
- From: Kumar, Hemant
- [Wireshark-dev] Query on Field Registration
- Prev by Date: Re: [Wireshark-dev] Query on Field Registration
- Next by Date: Re: [Wireshark-dev] Query on Field Registration
- Previous by thread: Re: [Wireshark-dev] Query on Field Registration
- Next by thread: Re: [Wireshark-dev] Query on Field Registration
- Index(es):