This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Creating multiple entries in the GUI for single parsed buffer

0

Hi,

I am a newbie so please direct me to existing data if such exists (I was not succesful at finding).

I am implementing a new proprietary protocolto view my company's device traces. The protocol packets arrive packed in a buffer on a specific UDP port.

My wish is to show each packet as a new entry in the main GUI even though they arrive inside a single buffer. I have tried using subdissectors and even a new dissector via call_dissector() but all attempts fail to show in the main table, all I succeed is to have the packets show in the parent buffer tree (reasonable since I pass that tree in cal_dissector).

Is there any way to achieve this?

Many thanks

asked 15 Apr '13, 08:00

amirix's gravatar image

amirix
11225
accept rate: 0%

edited 15 Apr '13, 08:32

One Answer:

1

The packet list is designed to show a packet on a single row, changing that may be a significant amount of work.But since this question has come up a number of times recently ways of achiving that should perhaps be considered, the developers mailing list is a more apropriate place for that discussion.

answered 15 Apr '13, 21:19

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

Thanks for the quick reply. I think this feature is worthwhile for unpacking. I'll visit the mailing list for updates

(16 Apr '13, 09:08) amirix

I'm busting my head finding how to begin and estimate the amount of work needed for such a task. Is there any chance you are familiar with similar attempts or can point we a place in the code to begin digging from?

Many Thanks

(21 Apr '13, 08:22) amirix

As I said starting a thread on dev is more apropriate as others might have ideas. It probably involves redesigning the packet list. Figuring out how the GUI display ought to look could be a first step. Doubles for packet numbers? e.g packet 100.1, 100.2 etc or perhaps there's a better way? Any way it might be a significant amount of work...

(21 Apr '13, 10:34) Anders ♦

I found a way to do it that seems clean enough and will hopefully sustain the throughput needed and be easily ported to other OS: I altered the dumpcap code in a way that the fragmentation is made there, the original IP/UDP header is appended with needed changes and then forwarded to WS. I'll post this also in the development thread I opened.

(05 May '13, 11:46) amirix