This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to use multiple lines for one header field?

0

The dissector that I'm working on includes a header that encodes a DAG. The easiest way to read a DAG in human-readable format is in a way where each node (maximum of 9 nodes) is converted to a string and placed on a different line. I am looking to implement in Wireshark something like:

Destination DAG:
     0x1-1234567890123456789012345678901234567890-1:
     0x2-123456789a123456789a123456789a123456789a-1;
     0x3-123456789b123456789b123456789b123456789b-0;

Where the indentation denotes that the three nodes above are in the subtree of "Destination DAG."

Some things I have tried:

  • proto-tree-add-string-format() with '\n' characters. However, anything after the first '\n' character is cut off from the display. Also, it looks like the Wireshark printf-like format functions want any %s arguments to be static const array of chars, not a variable.
  • Creating a new header field for each node. The problem here is that you can't have a header field without a name and an appended colon before the content.

The closest that I have come to seeing another dissector that might be able to do this is the TCP options fields. There doesn't appear to be a field name anywhere (no colon), but the content looks static, which is not the case with my dissector.

Options: (12 bytes)
    No-Operation (NOP)
    No-Operation (NOP)

Is there a way to do this? Thanks in advance for any help!

asked 12 Jun '12, 09:05

Cody's gravatar image

Cody
11225
accept rate: 0%

edited 12 Jun '12, 09:11


One Answer:

2

The problem here is that you can't have a header field without a name and an appended colon before the content.

Yes you can. Have a look at the proto_tree_add_*_format() functions. In your case, it looks like proto_tree_add_string_format() will do the job for you.

answered 12 Jun '12, 09:35

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Works perfectly, thank you. I got tripped up when the compiler complained about that function when it had only one argument, but I've worked out a solution.

(12 Jun '12, 09:56) Cody

Well, proto_tree_add_string_format() takes a minimum of 7 arguments, so by "only one argument" you presumably mean "only the format string argument".

If so, then note that the ONLY valid format argument for any printf-like function is a format string. If you want to print an arbitrary string, the way to do that is by having "%s" as the format string and having the arbitrary string be the argument to the format string, e.g.

proto_tree_add_string_format(tree, hf_XXX, tvb, offset, length, "%s", string);

not

proto_tree_add_string_format(..., offset, length, string);
(12 Jun '12, 15:58) Guy Harris ♦♦

Yes, I misspoke about the arguments, thank you. And I also tried what you suggest above with the following code:

char *p =  strtok(buf, "\n");

//proto_tree_add_string_format(tr, hf, tvb, off + (i * NODE_SIZE), NODE_SIZE,"%s%s", p, "");

proto_tree_add_string_format(tr, hf, tvb, off + (i * NODE_SIZE), NODE_SIZE, "%s", p);

And the call that is not commented out returns the error:

packet-xip.c:86:4: error: format not a string literal and no format arguments [-Werror=format-security]

Anything that I’m obviously missing here?

(14 Jun ‘12, 11:15) Cody

Anything that I’m obviously missing here?

The “value” argument to proto_tree_add_string_format(). “add_string” means “add a string value to the protocol tree”, and “format” means “but display it with the format and format arguments after the string value argument”. Try

proto_tree_add_string_format(tr, hf, tvb, off + (i * NODE_SIZE), NODE_SIZE, p, "%s", p);
(14 Jun ‘12, 11:31) Guy Harris ♦♦