This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

plain text comments in Wireshark packet list pane

0

I am relatively new to Wireshark.

I am generating packets from our test platform. These are being correctly decoded by Wireshark. They happen to be "mac-lte" packets, but isn't relevant for question I have...

I would like to interleave the generated packets with comments/logs packets, with the Wireshark decoded comments being displayed in the packet list pane (the top pane in the Wireshark GUI, showing a summary of the packets decoded). Note, I don't want to have to dig into the packet to see the text. I would like the text displayed on the packet list pane.

I'd like to use the standard Wireshark product off the shelf, without having to add a non-standard dissector. Is there a 'protocol' dissector packaged with the standard Wireshark product to display plain text? Failing that, does anyone have a plain text dissector they can share?

Thanks in advance, Robert

This question is marked "community wiki".

asked 13 Apr '11, 04:58

RobertA's gravatar image

RobertA
1112
accept rate: 0%

edited 13 Apr '11, 05:00

One Answer:

2

I think the syslog dissector might be the closest thing to what you need and the easiest to use in your case.

You can use "nc" (netcat) to send the cleartext messages like this:

$ echo "<181>Hallo?" | nc -w 1 -u 1.1.1.1 514
$

Host 1.1.1.1 does not need to exist, as long as the route towards that host passes your capturing device :-)

Wireshark and tshark will now show you:

  2.102943 192.168.1.22 -> 194.1.2.3 TCP 51791 > 443 [ACK] Seq=97 Ack=97 Win=65535 Len=0 TSval=999679650 TSecr=2322251460
  2.450229 192.168.1.22 -> 1.1.1.1      Syslog LOCAL6.NOTICE: Hallo?\n
  3.103243 192.168.1.22 -> 194.1.2.3 SSL Continuation Data

The "<xxx>" at the beginning of the message signify the facility and the severity where xxx is an 8 bit value in decimal representation. The most significant 5 bits denote the facility (LOCAL6 in my case) and the least significant 3 bits denote the severity (EMERG..DEBUG).

(of course you can also use the logger command on a unix-like system, but then you have to make sure you have a rule in the configuration of the local syslog daemon that forwards the message to a remote host like 1.1.1.1)

answered 13 Apr '11, 08:29

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Oh, I just tried without the facility/severity string and that works even better for your purpose:

echo "The following packets are interesting :-)" | nc -w 1 -u 1.1.1.1 514

results in:

26.143408 192.168.1.22 -> 1.1.1.1 Syslog The following packets are interesting :-)\n

(13 Apr '11, 08:32) SYN-bit ♦♦

Thanks. Appears to use port to identify it is a syslog message.

If wanted to specify different port, could set up a filter via Wireshark->Analyse->DecodeAs->Transport, so could map another port to syslog protocol.

However want to send/receive "mac-lte" & comment/log on same address&port. To try to ensure network delays dont affect pkt order wrt the comment and mac-lte packets.

So think what want is to add a header in TCP/UDP payload to identify the packet as comment/trace text. i.e. a similar mechanim to how Wireshark uses a header to decode mac-lte packets.

Is there anything suitable?

(14 Apr '11, 03:47) RobertA