Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] <Help> How to add fieldname for certain IEs

From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 14 Jul 2010 08:42:39 +0200
On 14 jul 2010, at 04:59, Leon Liu wrote:

> Now what I want to do is extract certain IEs(which involve MS capability) from pcap files via tshark.
> In my plan, I can achieve it using command 'tshark -r filename.dump -R filter(filter out 'attach request') -T field -e fieldname'.
> But when I check the fieldname of IEs which I want to extract, I found that the fieldname is null.
>  
> So my question is how to add fieldname in source code?
> The picture below shows the stacks of protocols and the IEs within the red ellipse are what I want.
>  
> Could someone help me to locate which source file I need to modify? And give me an simple example of how to achieve a new field name?

The reason is that the dissectors that generate the protocol tree for these protocols use "proto_tree_add_text(...)" for the values you would like to extract. This function is easy to implement, because it does not need all the work of setting up fieldnames. Please read the file README.developer in the source tree to get an idea on how to add fields in Wireshark. It also gives a broader perspective on development for Wireshark. Of course the Developers Guide on the Wireshark website is a good starting point on getting a build environment up and running.

Then, which files to edit, you can search the source repository for the specific items you are after. I use a little alias for that:

alias srcfgrep='fgrep -Ril --include "*.[ch]" --exclude "*svn*" '

which can be used like this:

sake@macsake:~/Wireshark/trunk$ srcfgrep "EGPRS multislot class" *
epan/dissectors/packet-bssgp.c
epan/dissectors/packet-gsm_a_gm.c
sake@macsake:~/Wireshark/trunk$

So these two files contain the code that adds the "EGPRS multislot class" items.

I hope this gets you on your way :-)
Cheers,


Sake