Hi Lori and all,
Thus wrote Lori Jakab (ljakab@xxxxxxxxxx):
> AFAIK, currently the protocol displayed in the Protocol column of
> Wireshark is that of the last dissector called on the packet. This makes
> it difficult to distinguish among packets with or without some type of
> encapsulation, unless filtering is employed. That is, a "regular" ICMP
> packet and a GRE encapsulated ICMP packet are both simply listed as ICMP.
> It would be a great feature to be able to see at a glance, when
> monitoring all traffic (especially with tshark), which packets are GRE
> or LISP (or any other encapsulating header) encapsulated. So, with the
> example above, instead of showing just ICMP, the Protocol field would
> display ICMP/GRE or ICMP/LISP.
> Is this possible with the current API?
probably not in the protocol column. Most (if not all) dissectors call
col_set_str(pinfo->cinfo, COL_PROTOCOL, "my protocol"); and clear the
previous content.
I just tried defining a custom column as follows
- select any packet
- open "Frame" in the tree
- select "Protocols in Frame"
- right click, "Apply as column"
That'll give you a colon-separated list of protocols in the column.
Hopefully, that's what you need.
Best regards,
Martin