Wireshark-dev: Re: [Wireshark-dev] Create User Friendly Hex Dump for Compression Algorithms
From: "Padilla, Alex D" <[email protected]>
Date: Tue, 19 Feb 2008 10:12:33 -0700
Thank you, Steve, for your reply.

I may not have been clear in what I was asking to do.  I apologize for that.  I am actually trying to separate the headers of different sets of data in the hex dump.  I would like to identify where different blocks of compressed and chunked data lie in the data set.  I actually want to display (by clicking data in the hex dump as Wireshark does with other sets of data already) where gzip headers and deflate headers begin and end in compressed data sets.

Thank you again for your help and any further help would be greatly appreciated.

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Stephen Fisher
Sent: Monday, February 18, 2008 5:48 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Create User Friendly Hex Dump for Compression Algorithms

On Mon, Feb 18, 2008 at 03:12:20PM -0700, Padilla, Alex D wrote:

> Does anyone know how I can create a more user friendly hex dump
> display for compression algorithms?  I would like to separate the hex
> dump when capturing packets into sections that contain information on
> compression algorithms, whether the dump is chunked or not, and a
> variety of other things.  If I capture a packet that is compressed, I
> would like the compression information to be displayed (i.e. it was
> compressed using deflate, etc.).  I've been reading up on LUA but
> cannot find too much information about the specifics of using it with
> Wireshark except for the short section in the Wireshark User's Guide.

The closest functionality that would be a close fit, although not exact, and already exists in Wireshark is to add new data source tabs along the bottom.  You can see this in action in various protocols such as HTTP when a compressed page is downloaded.  There will be the normal hex tab and then next to it the uncompressed version.  You can put any label on the new tab that you want (possibly satisfying your need to display information about the compression, chunked, etc. although it shouldn't be very long).

The new data source tab is created with add_new_data_source() function from epan/packet.c.  A few other statements are needed to setup the tvb for the new data source as seen in packet-http.c:

     uncomp_tvb = tvb_uncompress(next_tvb, 0,

     next_tvb = uncomp_tvb;
     tvb_set_child_real_data_tvbuff(tvb, next_tvb);
     add_new_data_source(pinfo, next_tvb,  "Uncompressed entity body");


Wireshark-dev mailing list
[email protected]