This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to keep the info and protocol constant

0

I have 2 dissectors X and Y. If Y is present X calls Y or else it shows it as X. Now everything works fine. I have X and Y displaying on the PROTOCOL column in wireshark. Now I wanna see only X so I click on protocol button but now everything changes and only Y appears How do I make the COL_INFO and COL_PROTOCOL values unchangeable? They change every time i click on the "PROTOCOL" or "INFO" button. thanks in advance

asked 28 Mar '11, 02:46

niks3089's gravatar image

niks3089
21151518
accept rate: 0%

Can you be more specific? Are you writing a dissector which has a subdissector that may or may not be present, or one that is called if and only if a certain field has a specific value, or something else? Additionally, what buttons are you talking about? If you mean the column headers, then what is happening is a sort, not a relabeling.

(28 Mar '11, 09:24) multipleinte...

It is not sorting. The protcol X is not present. I am calling the Y sub dissector from only X . So if X is present then so is Y . But when press the column headers all the protocols other than X and Y sort but Y replaces the occurances of X . hope you understood

(28 Mar '11, 09:35) niks3089

So do you mean that when you read in a capture, or perform a capture, packets that have protocol Y running atop protocol X show protocol X's name in the Protocol column and the info for protocol X in the Info column, but when you try to sort on the Info or Protocol columns the Protocol column for those packets changes to show protocol Y's name and the Info column for those packets changes to show protocol Y's info?

(28 Mar '11, 18:13) Guy Harris ♦♦

2 Answers:

0

When you click on the Protocol or Info column headers, you are only causing Wireshark to sort the packets by whichever column header you selected. You are not filtering out any packets by doing this. If you only want to see packets displayed that are X, but not packets in which X calls Y, then you can use a display filter to do this, such as, "X and not Y"

Now if you don't want Y replacing the contents of either the Protocol or Info columns when X does call Y, then you might want to have a look at some of the column utility functions, like col_set_fence(), which is documented in both epan/column-utils.h and section 1.5.8 of doc/README.developer. Alternatively, you could try calling col_set_writable(pinfo->cinfo, FALSE); before X calls Y.

answered 28 Mar '11, 10:39

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Actually I made a mistake. Its Y that is getting replaced by X. The above solution is not working

(29 Mar '11, 00:00) niks3089

0

Make sure you set the COL_INFO and COL_PROTOCOL columns regardless of whether the "tree" argument to your dissector is null or not.

answered 29 Mar '11, 00:09

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

It is set but the content keeps on changing

(29 Mar '11, 06:14) niks3089