Wireshark-dev: Re: [Wireshark-dev] Plugin dissector - lookup expert_field_info

Date: Sat, 23 Jan 2021 20:35:42 -0600
I would like to write "prot.has.error" in the filter and find all of my packets that have any condition that my dissector determines to be "an error". Otherwise I have to type a filter like
	 prot && (_ws.expert.severity == "Error" || _ws.expert.severity == "Warn")

To do that now, I have to write something like
	if ({condition})
	{
		expert_add_info(pinfo, pitem, efield);
		my_prot_context.has_error = TRUE;
	}
for each condition in my dissector code. Instead, I would like to write methods such as
	ei_add_if_is_gint(pinfo, pitem, expected_gint, efield);
and have the methods do
	ei_add_if_is_gint(...)
	{
		if (expected_gint == (gint)proto_item_get_guint(pitem))
		{
			expert_field_info* eiinfo;
			expert_add_info(pinfo, pitem, efield);
			EXPERT_REGISTRAR_GET_NTH(efield->ei, eiinfo);
			if (PI_ERROR == eiinfo->severity || PI_WARN == eiinfo->severity)
				my_prot_context.has_error = TRUE;
		}
	}
Otherwise, my dissector code will be sprinkled with the above block of "if"s instead of easily maintained ei_add_if_is_gint() and similar calls.

Thank you,
Jay Turner

-----Original Message-----
From: Wireshark-dev <wireshark-dev-bounces@xxxxxxxxxxxxx> On Behalf Of Guy Harris
Sent: Saturday, January 23, 2021 8:01 PM
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] Plugin dissector - lookup expert_field_info

On Jan 23, 2021, at 1:06 PM, jayrturner99@xxxxxxxxx wrote:

> I want to wrap expert_add_info calls so that I can check the expert_field* argument, see if the severity is PI_ERROR, and set a generated field in my protocol that says “this packet has errors”.

For what purpose?

There's already something in the protocol tree saying "this packet has errors", namely the added expert info.

A packet-matching expression that will match all packets that have a PI_ERROR expert info is

	_ws.expert.severity == "Error"

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe