Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Filtering

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Tue, 31 Mar 2009 17:21:17 -0400
Well, I'm not entirely sure what you're trying to do and don't really have the time to dig into it, but let me give it a quick shot using your "time" example below ...

It looks like maybe you're trying to add a time field of some length starting at offset 0 from your tvbuff.  If it's just a string, either NULL-terminated or with a preceding length field, you might be able to use either proto_tree_add_string(), or proto_tree_add_item() but just set your hf's FT_ appropriately, i.e., FT_STRING, FT_STRINGZ, or FT_UINT_STRING.  Or maybe you can make use of proto_tree_add_time() with your hf_'s FT_ set to FT_ABSOLUTE_TIME or FT_RELATIVE_TIME.  I have no idea what the format of your time field is so I don't know which one, if any of these, would work best for you.  Take a look at epan/ftypes/ftypes.h for a complete list of the FT_'s ... and as always, the README.developer lists them all too, along with a description, and again, there are plenty of examples of dissectors using all these types in epan/dissectors/packet-xyz.c.

As a quick example, let me assume your time field is just a Pascal-style string containing a single byte that indicates the length of the string, followed by the string itself.  The following pseudo-code is a rough example of how you might add it to your tree and have it be a filterable field:

static int hf_icom_time = -1;

dissect_icom(...) {
    ...

    proto_tree_add_item(icom_message_tree, hf_icom_time, tvb, 0, 1, FALSE);

    ...
}

...

    { &hf_icom_time,
        { "Timestamp", "icom.time", FT_UINT_STRING, BASE_NONE,
        NULL, 0x00, "", HFILL }
    },
...

That's pretty much it.  OK, so maybe you have to massage the string first through your _GetMsgTime() function.  No problem, maybe the proto_tree_add_string_format() function call is worth a look.  There are other proto_tree_add_xyz_format() calls as well that might also be of interest to you.

Not sure if that helps or not, but that's all I have time for today :)
- Chris

> -----Original Message-----
> From: gogrady@xxxxxxxxx [mailto:gogrady@xxxxxxxxx]
> Sent: Tuesday, March 31, 2009 4:20 PM
> To: Developer support list for Wireshark
> Cc: Maynard, Chris
> Subject: Re: [Wireshark-dev] Filtering
> 
> I have read through both of those, though i probably should do it again
> now that i know more. But maybe I'm just confused on how the others are
> outputted. right now i add to the tree with:
> 
> time = (_GetMsgTime)();
> pi = proto_tree_add_text(icom_message_tree, tvb, 0, 0, "Time: %s",
> time);
> 
> where time is a char *. in the other proto_tree_add_'s, does it go to
> the hf_icom_* in proto register? and output from there? That's how i
> output the first message:
> 
> { &hf_icom_bnp_type,
> 	{ "ICom BNP Type", "icom.type",
> 	FT_UINT8, BASE_DEC,
> 	VALS(bnp_type_names), 0x0,
> 	NULL, HFILL }
>          },
> 
> would there be a way to put my function somewhere in these calls? such
> as:
> 
> { &hf_icom_message,
> 	{"Message", "icom.message",
> 	FT_UINT16, BASE_DEC,
> 	(function call here?), 0x0,
> 	NULL, HFILL }
> 	}
> 
> or maybe in a value_string? all functions return a char * or int as
> their only types. Maybe i dont have a very understanding of how the
> proto_tree_add and hf[] array works and all.
> 
> Greg
> 
> ---- "Maynard wrote:
> 
> =============
> I would suggest reading through doc/README.developer and
> epan/proto.[h|c] and choosing the best proto_tree_add_xyz() call that
> meets your needs.  Maybe something like proto_tree_add_bytes() or
> proto_tree_add_item() will work for you, I don't know.  There are quite
> a number of them to choose from, so I'm pretty sure you'll find one
> that works for you.  And don't forget to look at other dissectors in
> epan/dissectors/ for some helpful examples.

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.