Hi all, I'm dissecting non byte aligned fields. I use proto_tree_add_bits_item() it works pretty well but I would like to have the same output as proto_tree_add_item(). I don't want to have the output like: ..10 1010 10.. .... "value" But : value: 10 1010 10 (Like byte aligned standard output). My problem is that this output is very difficult to read because my fields are not aligned at all (once 6 bits, once 2 bits, once 18 bits ...). Wireshark display it in lines and it is difficult to figure out what we are looking for. Is it possible to change the output or do I need to format it manually with proto_item_set_text() and re-write the output format of proto_tree_add_item() ? Regards. Eric asked 18 Feb '13, 05:29  EricST |
One Answer:
Go have a look at the answered 18 Feb '13, 14:05  Jaap ♦ showing 5 of 6 show 1 more comments |
Hi,
I looked for _format_value() variants but there is no variant for add_bits_item. Others are all byte aligned (offset in byte) and I would like to read several non aligned fields.
It works but it looks like:
.... ..00 = Field1: 0x00
0000 01.. = Field2: 1
.... ..00 1010 .... = Field3: 0x0a
.... 0001 1000 0110 1010 00.. = Field4: 0x0061a8
And it is not very human readable, I would prefer to hide the fact that it is not byte aligned and print as usually:
Field1: 0x00
Field2: 1
Field3: 0x0a
Field4: 0x0061a8
Do I need to get each field's value by _ret_value variant and make my own string ?
Thanks for help,
Eric
Hi,
Could someone give me just a track to solve my issue?
Best regards, Eric
Forget about add_bits_item. Go look at proto_tree_add_uint[_format_value()]. This goes something like: 1. extract the byte field from the TVB, 2. extract your bitfield from that. 3. proto_tree_add_uint() / proto_tree_add_uint_format_value() are now free of bitmasks for representation.
N.B The output of proto_add_bits_item() is chosen so you can understand which bits makes up the field highligted in the bytes pane which I at least finds more useful than just displaying the field. I would think twice before going for a different format.
I'm with Anders - the truth is your fields are bitfields, for all intents and purposes. It might be more confusing to someone using your dissector for the purpose of troubleshooting your protocol to see bytes that are not bytes. It might help you out too, to see them the way they really are. It usually helps me when I'm writing a dissector, anyway.
Also, if they're unaligned fields that are related and all together form a larger aligned byte field, you can always hide them in a subtree and have the top-level tree item show their aggregated aligned byte form. For example open any capture file with IP packets and look at the "Differentiated Services Field" of the IP header in Wireshark. It shows it as a subtree, with a descriptive top-level that gives the info, but if the user wants to see the details they can expand the subtree to see it as the bitfields.