This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Understanding tree stucture and tvb

0

I'm very newbie to writing Wireshark code for plugin dissectors, I've read the documentation, but I still have some problem to understand the general environnement.

1) What are exactly trees, what do they do, and why should be useful to add tree for dissecting? Do I have to instance at least one tree in my dissector, or could I completely avoid using them?

2)Are subtrees just trees linked to a "father" tree ore something more? When should I use proto_item_add_subtree instead of proto_tree_add_item?

3)Aren't all the information of the packet in the tvbuff? Why I can't just read there to perform the dissection?

4)What is the difference between proto_tree and proto_item

5)How does the statement if(tree) work? What does it mean that I go into this function if I am being asked for details? Referring to that, what kind of code should I put inside this if() statement, and what else outside?

Sorry for these basic questions

asked 08 Aug '14, 04:04

francesco_bigotto's gravatar image

francesco_bi...
21459
accept rate: 0%

One Answer:

1
  1. The tree is displayed in the packet details pane. No tree == no details, so yes you probably should add items to the tree.
  2. Sub-trees are somewhat stylistic, but generally are used for protocol sub-elements that have multiple elements of their own. Without sub-trees, every element in your protocol would be in a flat list under the protocol tree.
  3. The tvb is the data handed to your dissector from the preceding layer. You use the data in the tvb to construct your tree. This is the fundamental basis of dissection.
  4. Well a tree is a tree and an item is an item in the tree. I think an item is always associated with data (possibly synthetic) so can be used in a filter.
  5. In some circumstances dissectors can be called with a null tree pointer so they don't need to carry out any processing that was only for tree display, however the dissector should still carry out all other dissection processing.

Are you sure you've read the Developers Guide and all the items in the docs directory of the source code? Most of these questions are answered there.

answered 08 Aug '14, 05:11

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I've read the Developers Guide, but not yet the items in the docs directory, sorry. Anyway thanks for the good explanation

(08 Aug '14, 05:29) francesco_bi...