This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to get data inside proto_tree *tree

0

Hi all, I'm looking for a way to get the value inside proto_tree *tree. As i understand, the proto_tree * tree is defined to archive all information which were dissect-ed when it goes through the main program as shown in this figure

alt text

After that, all further processes would be done with this tree. So, I wonder how to get the value, information from tree. For example: In "packet-camel.c", we have func: "dissect-isup-original-called-number-parameter" to provide value of "calling-number" to the tree. But after that, when the tree get away from this function, how can we extract this value from tree? It similar to the question "which part in source code that let tshark can get the value from tree". Thanks for your help or any idea. Thank you so much!

asked 15 Sep '13, 21:25

hoangsonk49's gravatar image

hoangsonk49
81282933
accept rate: 28%

edited 15 Sep '13, 23:36

Is there any idea about this topic? There are some points that I'm looking for a the answer but no any clue, so if you are expert or have any idea about it, please help me to find out:

  • Where is the starting point of *tree where it is declared to archive values in order to display ? Where is the ending point where the tree is completed all the values?
  • Which files or folder contain the main flow of the program (or starting point to dissect messages)
  • How does the program (or which function) get the values from tree to display with the corresponding filed (e.g: camel.local...)

I wonder these questions because I don't know how write a program like

if (value1==x) && (value2==y)

then printf(value3)

it is really hard to control the program if i don't know the main flow of the program. So, please help me if you understand the structure of the code. Thank you so much!

(19 Sep '13, 00:00) hoangsonk49

I think you ar missing the point, you should not access the values in the tree they are for the filter engine. You probably have to modify the dissector code to achive what you want - but your end goal is not clear to us.

(19 Sep '13, 00:26) Anders ♦

@hoangsonk49

You are still missing the point. The proto_tree only exists for the packet that is displayed, there isn't a proto_tree for the entire contents of the capture. As @Anders points out if you tell us what you want to achieve rather than stating how you want to achieve it (that probably won't work) then we may be able to help.

(19 Sep '13, 01:24) grahamb ♦

Hi Andes and Grahamb, I have a camel message in which it contains "camel.opcode", "calling number" (camel.CallingPartysNumber) and "called number" (camel.CalledPartyNumber). When I use tshark or filter I can export: if (camel.CallingPartysNumber==x) then export camel.CalledPartyNumber OR if(camel.opcode==y) then export { camel.CalledPartyNumber and camel.CallingPartysNumber}. But now I have to send it automatically via socket from code. Of course I can export to text file and read but in this case, I need to do in real time and some reasons related to performance. It means: when tshark or wireshark analyzes the network and if it satisfies these conditions above , from the code, program wil send those values to server via socket. That is my end goal. I know where the dissectors of those values are, I also can send all values via socket in real time but just from the dissectors, locally, without conditions. that is my problem.

(19 Sep '13, 02:03) hoangsonk49

From reasons above, I think if I could know how Tshark or Filter can export values with the condition (e.g: camel.CalledPartyNumber == x) and where the code stored, I can go into the code and check whether I can insert my conditions fixed in the code so that next time when I run tshark or wireshark, it can send values to server automatically.

(19 Sep '13, 02:20) hoangsonk49

One Answer:

0

I think you have a basic misunderstanding of how dissectors work in Wireshark, particularly with respect to the protocol tree.

The proto_tree is only populated when required for display (or output in the case of tshark). A dissector may be called multiple times (at least once for each frame that might contain the protocol) and the proto_tree parameter may be null, in which case the dissector doesn't have to dissect the protocol values as there is no proto_tree to put them in to. This is used on the first-pass of Wireshark to build up such things as conversations and other relationships between packets.

Every time the user clicks on a frame in Wireshark, then the appropriate dissectors will be called with a non-null proto_tree parameter so that the dissectors can populate it with all the dissected fields.

So, if you want a protocol field value, then you must access it from within a dissector as it's actually being dissected, or possibly by using a tap passing the extra values required to the tap from the dissector as parameters to the tap_queue_packet call. See README.tapping for more info.

answered 16 Sep '13, 01:33

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Hi grahamb, I agree that I had a misunderstanding of a proto_tree. I already accessed the dissector to get the value but separately, for example, from the figure, I can access dissector Func() to get value 1, value 2 but it is not enough because in some case I need a condition in which it requires both of value 1 and value 2 (if value1 == x && value2 == y) then (...). In this case, I need the "main flow" of the program so that I could call both of two values instead of each value separately. I think most of value are shown on display so it mean most of them were added into tree. I prefer to understand the main flow of how Tshark (or Filter) is able to run with the condition ((if value1 == x && value2 == y) then (...)). I really don't want to process in deep detail as dissector because there are many other function can call it anytime

(16 Sep '13, 01:52) hoangsonk49

You should be able to modify the camel dissector to do that, however this may not solve your entire problem. This is because running Wireshark for extended periods of time will eventually cause the process to crash due to lack of memory. See the Wiki page here for more info.

So, if you still plan to do this, you must either cope with Wireshark crashing and restarting it and hoping you don't miss any important messages, or restart the process at intervals, again hoping you don't miss any messages.

(19 Sep '13, 06:12) grahamb ♦

Hi Grahamb. I see in that link: "Wireshark uses memory to store packet meta data (e.g. conversation and fragmentation related data) and to display this info on the screen".

  • So if I use tshark command without wireshark GUI to display only some fileds, is there any packet meta data stored? and does it cause out of memory? I see from that link "Wireshark cannot throw away this information as it might be required later; Wireshark keeps this information in memory until the capture file is closed" but if I use tshark, does it happen?
  • One more thing, I have a .pcap file, the size is about 200 Mb, with duration of 10 mins. Does it make sense if I use wireshark and tshark to read it with the duration >10 mins, if so, what happens when we run in real time instead of reading file?
  • And about my end goal, extracting value with conditions like tshark and Filter able to do, it is impossible to do it with only camel dissector because it is local function while conditions are only made in a higher level. And I really don't know how tshark and Filter can do it even nothing done in the local function, it means they are able to read entire values. Thanks!

P/s: I just process the running network in real time. I don't want to store or keep it in .pcap file. When the message comes, if it satisfies the condition, in the code, the information would be sent to server, and nothing more with this message, it should be thrown away. So, is there any way to do this with wireshark or tshark, because I think if so, we don't need to spend a lot of memory.

(19 Sep '13, 18:23) hoangsonk49