This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Get frame data and packet info from frame number?

1

If I have the number of a frame, is it possible to then look up the actual frame/packet?

I'm trying to make some enhancements to io_stat.c, and I'd like to show some information about the packet inside the graph window itself, when clicked on. The only context I have in that situation is the frame number.

asked 02 Jul '11, 01:10

Jackson%20Zhou's gravatar image

Jackson Zhou
16224
accept rate: 0%

retagged 02 Jul '11, 02:00

helloworld's gravatar image

helloworld
3.1k42041


One Answer:

4

In 1.6 and later:

frame_data *fd;
fd = frame_data_sequence_find(cfile.frames, frame_number);

will get you the frame_data structure for the frame with the specified frame number. Whether that gives you all the information you need is another matter (and the frame_data structure will probably get things removed from it over time, to save memory - there's one of them for every packet in a capture).

The packet_info structure is another matter. That is generated when the packet is dissected, and is not saved (saving it would make Wireshark's memory usage even worse).

answered 02 Jul '11, 11:40

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 02 Jul '11, 11:41

Thanks, That answer was really helpful.

How would I get the packet info, even in the most extreme case? Would I use cum_bytes and file_off to get the raw data and redissect it? I mean, the main wireshark window is able to offer packet info on any arbitrary row so that information must either be stored somewhere or recalculated right?

(02 Jul '11, 12:55) Jackson Zhou
1

Yes, you'd have to get the raw data and redissect it. See, for example, cf_read_frame_r() in file.c, to read a packet from a capture given the frame_data structure, and new_packet_window() in gtk/packet_win.c, which, given a pseudo-header and pile of raw packet data (which you'd have read with cf_read_frame_r()), dissects the packet with epan_ calls and pops up a window with the packet details and hex dump.

(02 Jul '11, 13:07) Guy Harris ♦♦

Mission accomplished. Thank you.

(04 Jul '11, 02:08) Jackson Zhou