Wireshark-dev: Re: [Wireshark-dev] Adding dynamic fields to tree from dissector
From: Michael Mann <mmann78@xxxxxxxxxxxx>
Date: Sun, 19 Jun 2016 17:18:32 -0400
Wireshark is more than just a "nice tree". Most users want to be able to find values within a packet and the only way you're able to do that is with hf_ items, so we now effectively made it a "requirement" to have an hf_ field for each field in the tree (subtree headings would be the exception)
The simplest approach for you would be to create 2 hf_ fields, a "field name" field and a "value" field (both FT_STRING).
Not sure if you'd want them consecutively in the same tree or if the "value" would be a subtree off of the "field name".
The "field name" field could be proto_tree_add_string_format similar to your proto_tree_add_text example below, and then you'd need another proto_tree_add_string for the "value" field. You could "hide" the value field with PROTO_ITEM_SET_HIDDEN macro, but that's a generally discouraged practice.
However, I doubt your protocol is just a loop around a single proto_tree_add_text call of field/value pairs. If your dissector has knowledge of values, arrays, submessages, etc, you probably want to pass that information along to the user so he can search through a capture to find such things. You may want to consider using the convert_proto_tree_add_text.pl script (in tools directory) to help convert your proto_tree_add_text calls into filterable fields. That can save you a bunch of typing, but you still need to verify with names/filters for all of the fields.
-----Original Message-----
From: marko <marko@xxxxxxxxx>
To: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx>
Sent: Sat, Jun 18, 2016 11:58 am
Subject: [Wireshark-dev] Adding dynamic fields to tree from dissector
Hi.
I have read Developer Manual, README.dissector and looked into few
examples, but could not find an answer to my question.
I have a dissector for a custom protocol, that is basically 4 bytes
length, 4 bytes msg_id and rest is packed protocol buffers message.
I am unpacking this protocol buffers message inside dissector and
would like to construct nice tree structure that represents this
message.
In wireshark 1.x I could do this easily using something like
proto_tree_add_text(gpbs_tree, tvb, 0, 0, "%s: %s", f->name, *(char **)m);
where gpbs_tree is my subtree that represents a message.
But in wireshark 2.x function proto_tree_add_text does not exists.
There is a similar function proto_tree_add_string_format, but second
parameter there is a hf_* field id.
As far as I understand, wireshark would like me to register all
possible fields in the beginning so I would have this hf_* for all
possible fields.
But is very very difficult, because my protocol buffers message can be
anything at all. Different values, array, submessages, etc...
What should I do in that case?
How do I construct nice tree without knowing what my field types are
before I receive network packet?
Thanks!
Marko.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
From: marko <marko@xxxxxxxxx>
To: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx>
Sent: Sat, Jun 18, 2016 11:58 am
Subject: [Wireshark-dev] Adding dynamic fields to tree from dissector
Hi.
I have read Developer Manual, README.dissector and looked into few
examples, but could not find an answer to my question.
I have a dissector for a custom protocol, that is basically 4 bytes
length, 4 bytes msg_id and rest is packed protocol buffers message.
I am unpacking this protocol buffers message inside dissector and
would like to construct nice tree structure that represents this
message.
In wireshark 1.x I could do this easily using something like
proto_tree_add_text(gpbs_tree, tvb, 0, 0, "%s: %s", f->name, *(char **)m);
where gpbs_tree is my subtree that represents a message.
But in wireshark 2.x function proto_tree_add_text does not exists.
There is a similar function proto_tree_add_string_format, but second
parameter there is a hf_* field id.
As far as I understand, wireshark would like me to register all
possible fields in the beginning so I would have this hf_* for all
possible fields.
But is very very difficult, because my protocol buffers message can be
anything at all. Different values, array, submessages, etc...
What should I do in that case?
How do I construct nice tree without knowing what my field types are
before I receive network packet?
Thanks!
Marko.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- [Wireshark-dev] Adding dynamic fields to tree from dissector
- From: marko@xxxxxxxxx
- [Wireshark-dev] Adding dynamic fields to tree from dissector
- Prev by Date: Re: [Wireshark-dev] Adding dynamic fields to tree from dissector
- Next by Date: [Wireshark-dev] Determining how Wireshark detects T.38
- Previous by thread: Re: [Wireshark-dev] Adding dynamic fields to tree from dissector
- Next by thread: Re: [Wireshark-dev] Adding dynamic fields to tree from dissector
- Index(es):