This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Custom dissector - How to format data?

1

I followed the online example here: http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html and managed to get my custom dissector working correctly. My results look like this in wireshark:

Status Protocol

Serial Number: 0x0000001a57004eaf

Reserved: 0

Product ID: Radio Module (3)

Capabilities: Unknown (52)

Is there a way I can format 0x0000001a57004eaf to look like 00:00:00:1a:57:00:4e:af ?

If I can turn the 8 bytes in a string and format it that might work. I'm just not sure where to stick such a function to make it work with the foo example in the tutorial above. It's all still "magic" to me since I blindly followed the tutorial.

My other problem is the packets have a varying amount of capabilities. The packets can have any amount of capabilities from 1 to 5. Right now, I'm just reading the first capability because I'm not sure how to get the others. Is there a way to loop to the end of the packet, then proto_tree_add_item the entire array of capabilities? I'd like the capabilities to be on one line, if possible, like this: Capabilities: Human (4), Mobile (3), Trackable (1)

But even if they have to be on separate lines, I still need a way to loop through a varying amount of capabilities.

asked 31 Jul '13, 08:21

Arwen17's gravatar image

Arwen17
46226
accept rate: 0%

edited 31 Jul '13, 08:35


One Answer:

0

You might get away with calling proto_tree_add_item() using a field type of FT_IPv6 but I don't know if that might lead to odd filtering issues (your serial number matching an IPv6 filter string), or you can create any string you like and then use proto_tree_add_text() or you can use proto_tree_add_bytes_format() and supply your own formatting string and values.

Assuming you know the length of your overall message and the length of each of your capability items, just loop over them reading data from the tvb, adding the item to the tree and incrementing your byte count (the variable offset in most cases) until the byte count you have read matches the total message length.

answered 31 Jul '13, 09:09

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thank you, that did help me.

http://anonsvn.wireshark.org/wireshark/trunk/epan/tvbuff.c

http://anonsvn.wireshark.org/wireshark/trunk/epan/tvbuff.h

Here's what worked for me:

gint length = tvb_length(tvb);
while (offset != length) {
 proto_tree_add_item(...capability...)
 offset += 2;
}

FT_IPv6 cheat didn't work for me so I have to write my own string. I'm still trying to figure this out. Can I pass a string directly to proto_tree_add_text() or proto_tree_add_bytes_format() ? Or do I need to have it stored in a tvbuff_t type?

Some example syntax of proto_tree_add_text() or proto_tree_add_bytes_format() would be nice.

I wish I could just: proto_tree_add_text(tree, hf_serial_num, "String!");

EDIT: ok halfway there:

proto_tree_add_string(tree, hf_serial_num, tvb, 0, 11, "Your String");

with 0 and 11 being the length of the string and NOT the serial_num.

I used FT_STRING, BASE_NONE for serial_num registration.

(31 Jul '13, 10:55) Arwen17

Here's what finally worked for me:

char* hexString(tvbuff_t *tvb)
{
   char s[25];
   guint8 *bytes = tvb_get_string(tvb, 0, 8);

sprintf(s, "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x", bytes[0], bytes[1],bytes[2],bytes[3], bytes[4],bytes[5],bytes[6],bytes[7]);

return s; }

and

const char* test = hexString(tvb);
proto_tree_add_string_format_value(tree, hf_serial_num, tvb, 0, 8, "%s", test);
(01 Aug ‘13, 11:55) Arwen17

After kicking it some more, this made things more beautiful:

proto_tree_add_string(tree, hf_serial_num, tvb, 0, 8, test);
(02 Aug ‘13, 11:11) Arwen17