This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Custom packet dissector data structure

0
1

Suppose I have a custom protocol called cust_prot. One of the field is of 4 bytes length and has a flag bit as follows:

      The 5th bit of the 2nd byte of this field is a flag variable.

So, I wanted to know what will be the data structure. I have made the following structure but am not sure whether we need to do masking or not.

     .
     .
     { &hf_cust_prot_skip5,
         { "CUST PROT SKIP5", "cust_prot.skip5",
         FT_UINT32, BASE_DEC,
         NULL, 0x0,
         NULL, HFILL }
     },
     { &hf_cust_prot_cap1,
         { "CUST PROT CAP1", "cust_prot.skip5.cap1",
         FT_BOOLEAN, BASE_DEC,
         NULL, 0x0,               /*Confused about this mask field*/
         NULL, HFILL }
     },
     .
     .

Also if someone can provide the way to display that flag bit, it will be very useful.

asked 15 Sep '15, 04:29

samprit's gravatar image

samprit
6467
accept rate: 0%

edited 15 Sep '15, 04:41


One Answer:

1
 { &hf_cust_prot_cap1,
     { "CUST PROT CAP1", "cust_prot.skip5.cap1",
     FT_BOOLEAN, 32,
     NULL, 0x080000,               /*"5th bit" of 2nd byte counting from the left ? */
     NULL, HFILL }
 },

Use the usual proto_tree_add_item(...) to display the field.

Note that the exact format of the display of the field can be varied by changing the field width (32) and bit mask and using the correct offset in the proto_tree_add_item()` call.

E.G.,: usimg 8 as the field width, a bit mask of 0x08 and an offset of 1 from will display the field as 1 bit in 8 bits.

Try experimenting with different values.

This is all explained in doc/README.dissector.

answered 15 Sep '15, 05:47

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 15 Sep '15, 05:48

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(15 Sep '15, 18:49) Bill Meier ♦♦