How to modified display format of a given field within dissector tree pane?

Question

Hi,

I recently used the asn2wrs to create a new asn1 dissector (thanks for that wonderful tool).

The problem I have is that I would like to modify how an integer value is displayed in the wireshark pane for a specific field. For example, the value that is displayed is “70390700” which is the good value but I would like to display it to the user in a different way because it represents an ip address.

70390700 (decimal value) = 04 32 13 AC (hex value) –> 4 50 19 172, and I would like to have “172.19.50.4” displayed into the wireshark pane.

Can you give me some help on how I could achieve that?

Answer 1

1

Use the #TYPE_ATTR directive,see the sources for examples.

answered 06 Nov '14, 13:46

Anders ♦
4.6k●9●52
accept rate: 17%

I added the following lines to my .cnf:

#.TYPE_ATTR Ip4AddressType TYPE = FT_IPv4 DISPLAY = BASE_NONE STRINGS = NULL

But the IP address is still displayed as "4.50.19.172" instead of "172.19.50.4".

(07 Nov '14, 06:12) badam71

Hmm it's the endianess thet's the problem you will have to replace the generated dissection by your own in the .cnf file.

(07 Nov '14, 06:46) Anders ♦

I am not sure how do do that... My dissector (automatically generated) looks like this in the packet-foo.c file.

static int
dissect_foo_Ip4AddressType(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
  offset = dissect_per_octet_string(tvb, offset, actx, tree, hf_index,
                                       NO_BOUND, NO_BOUND, FALSE, NULL);
return offset;
}

(07 Nov ‘14, 10:05) badam71

I found that the “dissect_per_octet_string()” function was using ENC_BIG_ENDIAN. For now I solved this issue by adding a special case for the type “FT_IPv4” which will now use ENC_LITTLE_ENDIAN instead.

(07 Nov ‘14, 11:08) badam71