Is there a way I can alter what the INFO tab displays. I am using a DNP3 protocol and trying to figure out what is going on. There is a custom DNP object that I would like to try to define and display in the "Info" column. I would like to post data from the DNP3 Applicaation Layer (One of the data objects). I would like to take these data objects and display them directly in the info (obviously only if they exist). asked 17 Jul '15, 16:17 napkinsterror edited 17 Jul '15, 17:24 Guy Harris ♦♦ |
One Answer:
You'll probably need to modify the dissector to do that, or you might be able to do something with a Lua post-dissector or chained dissector, the difficulty with the lua approaches is getting access to the re-assembled application layer data. There's no facilities at the moment for defining a custom data type for the dissector. What's the custom object type you're trying to dissect? Can you post a capture in a public place, e.g. Cloudshark, Google Drive, Dropbox etc.? answered 17 Jul '15, 16:34 grahamb ♦ |
I have just left my office. I will post it when I get home. It's an official DNP object called an 8-bit unsigned integer object . It allows you to customize the object further as it is just a generic byte. Just like binary and analog values this has a type called Object 102 in the DNP Spec. (Object Type is 0x6601).
I was able to open the application layer C code and find the variables and add this object. I was hoping to not have to write code as I am simply an intern and have never written code for wireshark but it seems as it might be necessary here. The difficulty will be converting the bytes (application layer object's data) into ASCII bytes and adding that to the column info without breaking wireshark. I will look into LUA but if it's hard to get the data from the application later then it won't be much help. That's the sole purpose I am doing this.
I also haven't figured out how to or where best to customize the info column based on the qualifier code and object header data.
So it's not a custom (user-defined) object, but one that isn't yet dissected. Generally I only add objects to the dissector when captures for those objects are available so I can test the new dissection.
Please raise an entry (marking it as an enhancement) on the Wireshark Bugzilla, attach a capture with the object of interest in it and post a link to the request back here as a comment.