This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all, I follow the guide of Developers (http://www.wireshark.org/download/docs/developer-guide-a4.pdf) and in the chapter 9, I'm trying to understand the code structure of wireshark. In the code Example 9.8. "Wrapping up the packet dissection", I see "proto-register-foo(void)" in which we have:


Code


where "hf_foo_flags" is the index for this node. I wonder how we can get the value of this node, in other words, I want to export this value into text file and apply to all of those nodes. But it seems to be just an INDEX for this node, not value. So, experts, Could you please explain to me how to get the value of this node? Thanks !

asked 06 Sep '13, 03:26

hoangsonk49's gravatar image

hoangsonk49
81282933
accept rate: 28%

edited 06 Sep '13, 08:11

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142

I think you need to explain in more detail what you are trying to do as I suspect you are going about it in the wrong way. tshark -z might do what you are looking for.

(06 Sep '13, 04:47) Anders ♦

Hi Anders, Here is some values which are dissector-ed by GUI

alt text

Each ones has its own value, for example servicekey = 20, that 's what we can see on GUI.My objective is to extract those values into text file AUTOMATICALLY by using source code, not tshark -z, or copy-paste from GUI... Of course Tshark -z can do it but I want to go deeper, into lower level which is really running inside the command of tshark, in other words, I have to control the flow of Wireshark and where it assigns those values in the code. I check in the code and see that all values have its node. For example: "FOO PDF Flags" has "hf-foo-flags", "servicekey" has "hf-camel-serviceKey". But that is not a variable which carry its value, it is just an index of a node. So, I have a node index, I wonder how to get the value of this node. In genetal my question is:

  1. Which variable in the code carry the value of things like "servicekey, locationnumber, FOO PDF Flags ..."?

  2. As I see, Each things like "servicekey, locationnumber, FOO PDF Flags ..." has its own node index such as "hf-camel-serviceKey, hf-foo-flags" but I don't know how to fprintf the value of this node. I guess the value of this node is value of those things which are displayed on GUI, so I need to print out to be sure.

Please help if you have any idea about it, thanks a lot. Note: "hf-foo-flags" means "hf (underline) foo(underline) flags" because this box ignores that format :)

(06 Sep '13, 06:04) hoangsonk49

Well a full protocol tre might not be built on the first sequential pass trough the capture file by wireshark so even accessing the tree might not give you what you want. Parsing the PDML output might be an idea.

(06 Sep '13, 06:47) Anders ♦

Hi Anders, but when we open GUI and "start" to run, "Parsing The PDML" doesn't run in parallel, right? "Parsing The PDML" starts to run only when we use command to call it in order to export PDML file. So, it means, to display the value "20" of "servicekey", Wireshark must get this value from somewhere in the code, right? And I'm looking for that "somewhere". Wireshare processes the dissector by the file "packet-xxx.c" where xxx is the name of protocol. Processing is done in this file, but all i know is that it puts the value into a tree and i don't know how it get these values from the tree to display. In other words, which function get and display the value of "serviceKey" on GUI

(08 Sep '13, 18:48) hoangsonk49

Maybe using tshark gives you what you want?

tshark -r file.pcap -T fields -e camel.serviceKey -e camel.locationNumber

Feel free to add as many fields as needed.

In Wireshark, you could add those fields of interest as custom columns via Edit -> Preferences -> Columns -> Add -> Field type: Custom -> Field name: camel.serviceKey -> [Rename title and drag to desired column location] -> OK, and then use File -> Export Packet Dissections -> as "Plain Text" file... -> Packet summary line

permanent link

answered 06 Sep '13, 08:22

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142
accept rate: 20%

Hi cmaynard, Yes, of course, TSHARK can do it as well, but as I mentioned above, I 'd like to control it at lower level, by source code, not only by command Tshark in order to do more with these values. So, to do that I have to know which variable carry those values, that 's all what I am looking for. Thanks!

(08 Sep '13, 18:05) hoangsonk49
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×6
×5
×1

question asked: 06 Sep '13, 03:26

question was seen: 1,806 times

last updated: 08 Sep '13, 19:03

p​o​w​e​r​e​d by O​S​Q​A