Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] tapping and access to fields

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 05 Jan 2007 10:45:33 -0800
Mikael Wikstr�m wrote:

I'm trying to write a tap to calculate some statistics based on values
found in multiple frames in one or more packets. I want to be able to
access some values from the prism/radiotap, for example
radiotap.rate/prism.rate.data, and wlan.type_subtype from the wlan
frame. Writing a tap for the wlan protocol gives me a basic static
context with some useful generic wlan fields but how to I access the
other fields?

1. What is the best way of accessing a field from a frame that is not
in my static protocol dependent tap context?

I.e., how do you access the radiotap.rate/prism.rate.data and the wlan.type_subtype values for the current frame?

The only way to do that is to use the epan_dissect_t pointer handed to the tap's packet routine; the "tree" field points to the protocol tree. You'd have to dig the values out of the protocol tree by hand.

Another solution might be to have the radiotap and Prism dissectors supply to the 802.11 dissector, as private data, some of the radio information they see (along with a bitset indicating which of those values are present), and have the 802.11 dissector supply that to its taps (again, with the bitset, as there's no guarantee that any particular value is available).

2. How do I access (1) of the previous frame in my tap?

Wiretap does not itself provide anything to taps to let them get at any information about frames other than the frame currently being processed. Taps process frames sequentially, so you know that the frame you processed prior to the current frame is the previous frame; you could keep that value in the data structure pointed to by the "tapdata" argument.