Wireshark · Wireshark-dev: Re: [Wireshark-dev] Query on Field Registration

["Kumar, Hemant" <kumarh@xxxxxxxxxxxx>]

Hello

 

 

I would like to clarify once again my query. I have no problems in setting up trees and subtrees in dissect_fucntion().

 

Well let's say we have two messages Messages1 and Message2 with a common field "Field" which in turn has one more subfields "subfield".

 

So now in the present situation which I am aware of we register the fields as;---

 

 

 

      CASE1:            &hf_protocol_Message1_Field_subfield,

                  {

                        "Message1_Field_subfield",

                        "Message1.Field.subfield",

                        FT_UINT16, BASE_DEC_HEX, NULL, 0x0,

                        "Messagesubfield ",HFILL }

                  }

                  &hf_protocol_Message2_Field_subfield,

                  {

                        "Message2_Field_subfield",

                        "Message2.Field.subfield",

                        FT_UINT16, BASE_DEC_HEX, NULL, 0x0,

                        "Message subfield ",HFILL }

                  }

But instead of doing this I register the fields and subfield separately as:--

 

                  &hf_protocol_Field,

      CASE2:            {

                        "Field",

                        "Field",

                        FT_UINT16, BASE_DEC_HEX, NULL, 0x0,

                        "Field ",HFILL }

                  }

 

                  &hf_protocol_subField,

                  {

                        "subField",

                        "subField",

                        FT_UINT16, BASE_DEC_HEX, NULL, 0x0,

                        "subField ",HFILL }

                  }

 

And then in the dissect function I do formation of tree and subtree

 

/*Tree for Field*/

     

Ti = proto_tree_add_item(tree, hf_protocol_Field, tvb, offset,size, FALSE);

subtree = proto_item_add_subtree( Ti, hf_protocol_Field);

     

ti=proto_tree_add_item(subtree,hf_protocol_subField,tvb,offset,size,FALSE);

     

 

so that in the details fashion it is displayed as

 

                  Protocol+  

                           Field+

                                 subfield

 

for message1 and message2.

 

But when I go in the _expression_ window under the my Protocol it shows as

 

            Protocol+

                     Field

                     Subfield

 

Which I don’t want but rather I want it to be like:--

 

Protocol+

            Field+

                  Subfield

                 

 

So that if user wants to select fetch all the messages having subfield == X

He should go in the _expression_ window and not put Protocol.Field.subfield == X, but rather just go on hitting on the + buttons and the subtree should appear below it and he can set the parameter for that field and the wireshark will automatically form the _expression_ based on the user selction of trees and subtrees so basically I don’t want to put

 

Protocol.Field.subfield beforehand in the _expression_ window but rather just firstly just Protocol will appear then on hitting + for protocol, Field will apper and then on hittin + for Field subfield should appear and then user can set subfield == x and in the _expression_ bar, automatically wireshark will put the _expression_ Protocol.Field.subfield.

 

I don’t know whether I was successfully able to put my point across.

Although I feel that this functionality is not present in Wireshark otherwise for all other protocol the implementation would have been like that which I cannot find like for tcp the _expression_ which appear is Tcp.flags.urg etc.

 

It appears as :---

 

           

 

But I wanted it to be like

      -tcp

            Srcport

            Destport

            Port

            -flags

                  Cwr

                  Ecn

 

 

 

Thanks

Hemant

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Martin Corraine (mcorrain)
Sent: Thursday, July 03, 2008 11:14 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Query on Field Registration

 

Hello Hemant,

 

I'm still not sure what your trying to do. I'm sorry. Are you having

trouble setting up the trees and subtrees? Or do you want to, when

searching for a particular message type, just display those trees

relating to your search? That I don't think is possible unless you add

more code. Wireshark won't just do that automatically.

 

martin

 

-----Original Message-----

From: wireshark-dev-bounces@xxxxxxxxxxxxx

[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Kumar, Hemant

Sent: Thursday, July 03, 2008 1:31 PM

To: Developer support list for Wireshark

Subject: Re: [Wireshark-dev] Query on Field Registration

 

Thanks Martin and Abhik!! For the replies.

 

But what I am actually looking for is when the user goes for setting

subfields type so as to filter messages of his interest, he should see a

tree structure with subfields beneath the main field.

 

That is for example for tcp it should not appear as Tcp.flags.cwr

Tcp.flags.ecn Tcp.flags.urg Tcp.flags.ack and so on rather it should

appear as

 

Tcp+

    Flags+

            cwr

            ecn

            urg

          ack

 

By clicking on the + the subtree should appear

 

So I don't want to register fields like ged125.service_control rather

Just register Service control which is going to be common to several

other messages separately and then relate it to those messages in the

dissect_function()while feeding the information from tvb_buffer in to

the field. Ofcourse  , this is possible but then in the _expression_

window simply appears service_control and ged125+

                                                        Service_control.

 

Please shed some light on this aspect whether it is possible to this is

wireshark.

 

Thanks

Hemant

 

 

 

-----Original Message-----

From: wireshark-dev-bounces@xxxxxxxxxxxxx

[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Martin

Corraine (mcorrain)

Sent: Thursday, July 03, 2008 5:28 AM

To: Developer support list for Wireshark

Subject: Re: [Wireshark-dev] Query on Field Registration

 

Hello Hemant,

 

The ged125 protocol that I'm finishing right now has a lot of

sub-messages. I would create a field registration of this message type

that has several sub messages below it. So, for instance I can search

"ged125.service_control" for all those messages. Now, if I want to

search for a particular service control I can search by doing this

"ged125.service_control == 20". Below is the field registration. All the

various sub-types are in a value_string array. Hope this helps.

 

                { &hf_ged125_service_control_MessageSubvalue,

                { "Message value", "ged125.service_control", FT_UINT32,

BASE_DEC, VALS(vals_service_control_message_subvalues), 0x0,

        "Sub-Service Control Message value", HFILL }}

 

 

-Martin

 

 

-----Original Message-----

From: wireshark-dev-bounces@xxxxxxxxxxxxx

[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Abhik Sarkar

Sent: Thursday, July 03, 2008 2:26 AM

To: Developer support list for Wireshark

Subject: Re: [Wireshark-dev] Query on Field Registration

 

Hi Hemant,

 

As far as I know nesting of header fields is not possible... check out

epan/proto.h where the field info structures are defined. What you could

do is something like have:

hf_message_type

hf_field1

hf_field2

 

Then, the display filter would be "message.type==1 && field1.value==X"

or "message.type==2 && field1.value==X). You can then (in the protocol

tree) next the fields under message types by using subtrees... This is

done for the protocol I am most familiar with (SMPP) and you can check

in packet-smpp.c how the common DCS field is handled in a submit_sm and

a data_sm.

 

HTH

Abhik

 

On Thu, Jul 3, 2008 at 4:23 AM, Kumar, Hemant <kumarh@xxxxxxxxxxxx>

wrote:

> Hello

> 

>  Another query that has surfaced up while doing the design for

dissector module is , whether there is a concept of tree and subtree

while registration of the fields?

> 

> Actually, I have a set of messages and all of them have a common field

 

> which again contains subfields. So under the current situation for

> registration of fields

> 

> I have to register the same field again and again for different

> messages with different names like

> 

> 

> 

> Message1.field1.field2

> 

> Message2.field1.field2 and so .

> 

> 

> 

> So that in the _expression_ window user should not get confused with a

common parameter for all the messages.

> 

> 

> 

> Is there any way out so that in the _expression_ window when the user

wants to set some parameter for field2 so as to collect only message 1 ,

he should be able to see a tree under message1 and and then again a

subtree for field1 ,whose branch contains a set of parameters including

field2  and so on and appropriately set the required parameter for a

particular message.

> 

> If there is a way out then I will be able to share a common dissect

> function for a particular field tyoe across all the messages otherwise

 

> I have to register

> 

> Customized fields for various messages and also have to write

> customized dissectors with the customized variables for particular

> message type.In this way

> 

> For the same field in different messages I have to write several

instances of the same function containing different names of the fields

and subfield which are actually the one and same.

> 

> 

> 

> Any help will be highly appreciated.

> 

> 

> 

> Thanks

> 

> Hemant

> 

> 

> -----Original Message-----

> From: wireshark-dev-bounces@xxxxxxxxxxxxx

> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris

> Sent: Wednesday, July 02, 2008 11:09 AM

> To: Developer support list for Wireshark

> Subject: Re: [Wireshark-dev] Query on Field Registration

> 

> Kumar, Hemant wrote:

> 

>> I just wanted to put up one query regarding field registration in

>> packet-xx.c .Is there any limit on the number of fields which we can

>> register?

> 

> No.

> _______________________________________________

> Wireshark-dev mailing list

> Wireshark-dev@xxxxxxxxxxxxx

> https://wireshark.org/mailman/listinfo/wireshark-dev

> _______________________________________________

> Wireshark-dev mailing list

> Wireshark-dev@xxxxxxxxxxxxx

> https://wireshark.org/mailman/listinfo/wireshark-dev

> 

_______________________________________________

Wireshark-dev mailing list

Wireshark-dev@xxxxxxxxxxxxx

https://wireshark.org/mailman/listinfo/wireshark-dev

_______________________________________________

Wireshark-dev mailing list

Wireshark-dev@xxxxxxxxxxxxx

https://wireshark.org/mailman/listinfo/wireshark-dev

_______________________________________________

Wireshark-dev mailing list

Wireshark-dev@xxxxxxxxxxxxx

https://wireshark.org/mailman/listinfo/wireshark-dev

_______________________________________________

Wireshark-dev mailing list

Wireshark-dev@xxxxxxxxxxxxx

https://wireshark.org/mailman/listinfo/wireshark-dev