Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Dissecting packet details field by field

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 15 Jul 2017 11:37:16 -0700
On Jul 15, 2017, at 5:19 AM, David Schaeffer <david.schaeffer2@xxxxxxxxx> wrote:

> On Jul 14, 2017, at 16:19 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> 
>> So you'd right click on a particular field in the protocol details pane, get a menu with "Graph" as one of the items, and it'd pop up an I/O graph for that field?
>> There's currently no mechanism for that in Wireshark, but it might be a useful *general* addition to Wireshark.
> 
> I actually implemented this already in my local copy of the code base. It has options for opening the default graph and graphing the selected bit code.

So you've added a general "Graph" menu item for the context menu (another name for "right-click menu" that doesn't assume the existence of more than one mouse/trackpad button - the trackpad on my laptop *is* the one-and-only button) for packet detail pane items?

If so, you might want to contribute that as a separate patch, minus any code that deals specifically with bit codes.

> (minus the part wher

That looks a bit incomp

>> *That* would require adding the ability to register a per-field callback, with the default being one that causes a "standard" I/O graph to be popped up, and with your dissector specifying a callback grabbing the IP address and the value of the bit code.  That might call the "draw an I/O graph" code with another callback specified; that callback would indicate whether to use the packet or not.
> 
> I was speaking to someone else that we may have to involve the specific dissector. We are hoping to keep it generalized enough to use it for any protocol though. The common theme seems to be involving the dissector so I think I'll just start with ours and see if I can't expand it to the rest.

The appropriate filter would probably differ from protocol to protocol, so, yes, there should be a mechanism allowing a dissector to register a routine to provide the initial filter for the graph.  Somebody might, for a particular protocol that *doesn't* run over IP, a "limit this to a particular conversation" item, for example.