Wireshark-dev: Re: [Wireshark-dev] Packet colorization

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 14 Apr 2010 15:30:57 -0700
On Apr 14, 2010, at 3:12 PM, Ari Yoskovitz wrote:

> I am writing a dissector for this protocol I am working with. I will just refer to it as "my protocol".
> I can't seem to find ways to control packet colorization programatically, from within the dissector's code (int contrast to changing it manually from Wireshark's menus).

It's hard to find something that's not there. :-)

My inclination would not be to allow a dissector to set the color.  Either

	1) the dissector would do it forcibly, with no preference setting, so the user can't turn it off even if they don't want it;

or

	2) the dissector would do it with a preference controlling it, but I'm not sure what advantages that has for the user over just editing the coloring rules.

> Two issues came up:
> 1) I want to control my packets' color, and give a different color to packets, depending on it's direction  (for example, two kinds of blue).

Does your protocol have a filterable field that indicates the direction?  If not, I'd say that's a bug in your dissector, as it not only means you can't test that in a coloring rule, it also means you can't test it in a display filter (e.g., "show me only packets going in this direction".)

> 2) I noticed that generally in Wireshark, the last activated dissector sets the rules for the packet's color, text (source and destination addresses fro example), etc.

I'm not sure that's supposed to be the case; the coloring should not be done until the packet is fully dissected, so that the coloring rules can test any filter.  The first matching rule specifies the color, so if you put the coloring rules for your protocol first in the list of coloring rules, they should control the coloring of all packets that match the filter in the rule, and if you put them after some rules, those rules should control the coloring of all packets that match them, and yours will control the coloring of all packets that don't match any of them but do match your rules.