This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I show a string for a decoded value?

0

I am trying to have a dissector for my proprietary protocol. I have to decode Flags byte in my protocol as bit-string and I have done it with below code:

f.msg_flags = ProtoField.uint8("MyProto.Flags", "Flags", base.HEX)
f.msgver = ProtoField.uint8("MyProto.msgver", "Version", base_DEC, nil, 0xE0)
f.prototype = ProtoField.uint8("MyProto.prototype", "Protocol Type", base.DEC, nil, 0x10)
f.reserver = ProtoField.uint8("MyProto.reserved", "Reserved", base.DEC, nil, 0x0E)

local msg_flags = buffer (offset,1):bytes() subtree:add(f.msg_flags,buffer(offset,1)) subtree:add(f.msgver,buffer(offset,1)) subtree:add(f.prototype,buffer(offset,1)) subtree:add(f.reserver,buffer(offset,1))

And Wireshark decodes with above code:

Flags:    0x2e

  1. …. = Version: 1 …0 …. = Protocol Type: 0 …. 111. = Reserved: 7

But I want to set the Name String for the bit field ‘Protocol Type’ based the value. If Protocol Type bit is set to ‘0’ then I want to show it as “MYPROTO1” and if bit is set to ‘1’ then show it as “MYPROTO2”.

i.e: After wireshark decode I want to see it as

Flags:    0x2e
  • …. = Version: 1 …0 …. = Protocol Type: MYPROTO1 (0) …. 111. = Reserved: 7
  • Any help is greatly appreciated.

    asked 17 Aug ‘12, 05:37

    Aruna%20Sirigere's gravatar image

    Aruna Sirigere
    6224
    accept rate: 0%

    edited 17 Aug ‘12, 06:23

    multipleinterfaces's gravatar image

    multipleinte…
    1.3k152340


    2 Answers:

    2

    What you need is called a value string. I couldn't find any particularly good examples very quickly, but it should look something like this:

    local VALS_MYPROTO = {[0] = "MYPROTO1", [1] = "MYPROTO2"}

    ...and then when you declare your protofield, provide this table as the valuestring parameter:

    f.prototype = ProtoField.uint8("MyProto.prototype", "Protocol Type", base.DEC, VALS_MYPROTO, 0x10)

    That should do what you want. The equivalent in C would be this:

    static const value_string vs_myproto[] = {
        {0, "MYPROTO1"},
        {1, "MYPROTO2"},
        {0, NULL}
    };
    

    static hf_register_info hf[] = { {&hf_prototype, {"Protocol Type", "myproto.prototype", FT_UINT8, BASE_HEX, VALS(vs_myproto), 0x10, "Protocol Type", HFILL}} };

    Note that in C, you could also use a true_false_string in stead of a value_string for a 1-bit field (boolean). In either case, you add this code to your protofield declaration, and Wireshark will do the rest -that is, you do not need to do anything special for it to display your value string.

    answered 17 Aug ‘12, 06:24

    multipleinterfaces's gravatar image

    multipleinte…
    1.3k152340
    accept rate: 12%

    As a little further explanation, the value “0x10” in the fine examples above is a mask to isolate the bit(s) required for the value string.

    (17 Aug ‘12, 06:32) grahamb ♦

    Thanks Multipleinterfaces and jaap. It worked.. :)

    (19 Aug ‘12, 22:47) Aruna Sirigere

    I’ve converted your “answer” to a comment as that’s how this site works. You can accept the best answer to your question by clicking the “check mark” icon next to the answer which helps other users to see what solved your problem.

    (20 Aug ‘12, 03:26) grahamb ♦

    1

    In ProtoField.uint8("MyProto.prototype", "Protocol Type", base.DEC, nil, 0x10) replace the nil by a value string.

    local VALS_VER  = {[0] = "MYPROTO1", [1] = "Not MYPROTO1"}
    ProtoField.uint8("MyProto.prototype", "Protocol Type", base.DEC, VALS_VER, 0x10)

    answered 17 Aug '12, 06:30

    Jaap's gravatar image

    Jaap ♦
    11.7k16101
    accept rate: 14%

    edited 17 Aug '12, 06:31