This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Creating multiple entries in the GUI for single parsed buffer

0

Hi,

I am a newbie so please direct me to existing data if such exists (I was not succesful at finding).

I am implementing a new proprietary protocolto view my company's device traces. The protocol packets arrive packed in a buffer on a specific UDP port.

My wish is to show each packet as a new entry in the main GUI even though they arrive inside a single buffer. I have tried using subdissectors and even a new dissector via call_dissector() but all attempts fail to show in the main table, all I succeed is to have the packets show in the parent buffer tree (reasonable since I pass that tree in cal_dissector).

Is there any way to achieve this?

Many thanks

asked 15 Apr '13, 08:00

amirix's gravatar image

amirix
11225
accept rate: 0%

edited 15 Apr '13, 08:32

One Answer:
active answersoldest answersnewest answerspopular answers
1

The packet list is designed to show a packet on a single row, changing that may be a significant amount of work.But since this question has come up a number of times recently ways of achiving that should perhaps be considered, the developers mailing list is a more apropriate place for that discussion.

permanent link

answered 15 Apr '13, 21:19

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

Thanks for the quick reply. I think this feature is worthwhile for unpacking. I'll visit the mailing list for updates

(16 Apr '13, 09:08) amirix

I'm busting my head finding how to begin and estimate the amount of work needed for such a task. Is there any chance you are familiar with similar attempts or can point we a place in the code to begin digging from?

Many Thanks

(21 Apr '13, 08:22) amirix

As I said starting a thread on dev is more apropriate as others might have ideas. It probably involves redesigning the packet list. Figuring out how the GUI display ought to look could be a first step. Doubles for packet numbers? e.g packet 100.1, 100.2 etc or perhaps there's a better way? Any way it might be a significant amount of work...

(21 Apr '13, 10:34) Anders ♦

I found a way to do it that seems clean enough and will hopefully sustain the throughput needed and be easily ported to other OS: I altered the dumpcap code in a way that the fragmentation is made there, the original IP/UDP header is appended with needed changes and then forwarded to WS. I'll post this also in the development thread I opened.

(05 May '13, 11:46) amirix
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×46
×33
×20
×19
×5

question asked: 15 Apr '13, 08:00

question was seen: 1,609 times

last updated: 05 May '13, 11:46

Related questions

subdissector window tree not appearing

how to create sub dissectors

EtherCAT sub-dissector in Lua

Usefull Color Rules?

will wireshark move to native mac windowing instead of X11?

Change the GUI language

Wireshark 1.5.1: Export SMB Objects

Updating COL_INFO column after packet visited

Using Dissectors and Subdissectors

SubDissector code in new file

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A