This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

dissect in bits range

0

Hi,

It seems the normal way of dissecting a packet only goes down to byte level.

What if I have a value that is, say, 10 bits long (with no padding to make it into two bytes), is there a way I can add a tree item for it and highlight the corresponding bits?

Thank you so much,

yxi

asked 02 Mar '14, 09:27

YXI's gravatar image

YXI
21182023
accept rate: 0%

retagged 02 Mar '14, 20:53

Hadriel's gravatar image

Hadriel
2.7k2939


2 Answers:

1

It depends on how you mean that. Do you mean your protocol literally has a field that is 10 bits long and all subsequent fields/values are offset by those extra 2 bits from then on for the rest of the protocol's packet? Or do you just mean you've got a field that is 10 bits long, and the other 6 bits are used-for/part-of some unrelated field? If the latter case, that's what the bitmask is for (see header_field_info in proto.h). For an example of it being used, look in epan/packet-vlan.c, where the vlan_id is only 12 bits wide (but ultimately inside an even vlan tag size).

answered 02 Mar '14, 11:22

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

If your protocol truly is bitoriented, take a look at proto_add_bits_item().

(02 Mar '14, 12:14) Anders ♦

Hi,

Thanks for the answers. Both situations are possible, in my case.
I forgot to mention that I have to use Lua script, instead of C.
Ideally, when a value is stored in bytes, when it is clicked, corresponding bytes will light up. When another value is stored in bits, when clicked, the display pane will switch to bit view and high light corresponding bits. I don't know if that's possible.

(02 Mar '14, 20:04) YXI

0

You can change the display pane to view bits - right-click in the Packet Bytes pane (usually the window pane shown on the bottom) and select "Bits View" instead of the default "Hex View". But it won't highlight the specific bit(s) of a field as far as I know - it still highlights the whole byte(s) those bits are in.

Even if proto_tree_add_bits_item() is used, it appears to highlight the whole byte(s). For example the IP header flags (reserved, don't fragment, more fragments) are added using that function and I can't discern any visual difference from just using a bitmask. (there probably is a difference, I just don't know what it is)

But anyway, I don't believe Lua has an exposed function for proto_tree_add_bits_item(), but you can use bitmasks. The dissector.lua script that you can download from the top of the wiki Lua examples page uses bitmasks quite a bit. (hmmm, there's a pun there)

answered 02 Mar '14, 20:50

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Thanks Hadriel. At this point I will stop trying to highlight exact bits that don't occupy a whole byte. It is probably, like you said, impossible. I can always state the bits range in a tree item if I have to. Not as nice as highlighting, but that's what I can do. Thanks so much again, YXI

(03 Mar '14, 18:19) YXI