This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

LUA Dissector tree collapse

0

Hi all,

I'm pretty new about the LUA Dissector. I have a problem with my code. Every time that I expand the treelist all subtrees are expanded automatically. How can I avoid this? Also, I'd like to ask you why the subtrees are displayed in grey color instead of white.

Below you will find my code. Thank you in advance for the help

Peter.

-- New Protocol and  fields
p_mynewproto  = Proto ("MyProtocol", "Test")

– Define Header fields local protoHeader = p_mynewproto.fields protoHeader.rxId = ProtoField.uint16('protoHeader.rxId' , 'Rx ID ' , base.HEX, nil) protoHeader.txId = ProtoField.uint16('protoHeader.txId' , 'Tx ID ' , base.HEX, nil) protoHeader.timeHour = ProtoField.uint16('protoHeader.timeHour' , 'Hour ' , base.HEX, nil) protoHeader.timeMinute = ProtoField.uint16('protoHeader.timeMinute', 'Minute' , base.HEX, nil) protoHeader.timeSecond = ProtoField.uint16('protoHeader.timeSecond', 'Second' , base.HEX, nil)

– mynewproto dissector function function p_mynewproto.dissector (buf, pkt, root)

– Check the packet length if buf:len() == 0 then return end pkt.cols.protocol = p_mynewproto.name

– start from offset 0 local offset = 0

– create subtree for mynewproto subtreeA = root:add(p_mynewproto, buf(offset,buf:len())):append_text(" [My Protocol Header]")

– Rx ID subtreeA:add(protoHeader.rxId , buf(offset,2))

– Tx ID subtreeA:add(protoHeader.txId , buf(offset+2,2))

– Time subtreeB = subtreeA:add(p_mynewproto, buf(offset+4,6),"[TIME]")

– Time Hour subtreeB:add(protoHeader.timeHour , buf(offset+4,2))

– Time Minute subtreeB:add(protoHeader.timeMinute , buf(offset+6,2))

– Time Second subtreeB:add(protoHeader.timeSecond , buf(offset+8,2)) end

– Initialization function function p_mynewproto.init() end

– Register a chained dissector for port 11111 local udp_dissector_table = DissectorTable.get("udp.port") dissector = udp_dissector_table:get_dissector(11111) udp_dissector_table:add(11111, p_mynewproto)

asked 14 May ‘15, 15:26

Peter1969's gravatar image

Peter1969
11115
accept rate: 0%

edited 27 Jun ‘15, 18:57

Hadriel's gravatar image

Hadriel
2.7k2939

Guys, I found this old wireshark question: https://ask.wireshark.org/questions/31356/how-to-get-all-tree-items-collapsed-as-default-in-gtk-version

But I don’t understand very well the response. How can I adapt it to my code. Thank you Peter.

(17 May ‘15, 07:51) Peter1969


One Answer:

1

In your example code above, the sub-tree you're adding is done with this:

subtreeB = subtreeA:add(p_mynewproto, buf(offset+4,6),"[TIME]")

That tells Wireshark to add a child item to subtreeA (which you created earlier), and the thing you're telling wireshark to add is p_mynewproto. But p_mynewproto represents a Protocol (a Proto object), and it's exactly the same protocol that you added when you created subtreeA earlier - so when you expand the tree in the GUI for subtreeA, Wireshark will automatically expand the tree for subtreeB, because they're the same protocol, and thus the same internal tree-type. Also that's why it's gray and not white - because it's a tree item for a Protocol rather than a ProtoField of a protocol. All protocol tree items are colored gray.

What you should be doing instead is creating another ProtoField for a "Time" field - this won't be a distinct field like the others, but rather just something to hold/contain/encapsulate the other time fields. For example by going this:

-- this is with your other ProtoField definitions:
protoHeader.time = ProtoField.bytes('protoHeader.time', 'Time')
-- this is inside your dissector:
subtreeB = subtreeA:add(protoHeader.time, buf(offset+4,6))
-- or this if you don't want to see the bytes shown:
subtreeB = subtreeA:add(protoHeader.time, buf(offset+4,6)):set_text('Time')

answered 27 Jun '15, 19:20

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Thank you Hadriel, I really appreciate your help.

Regards,

Peter

(29 Jun '15, 08:11) Peter1969

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(29 Jun '15, 08:47) grahamb ♦