This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Braces [] inside abbreviated name FIELDABBREV of header_field_info

0

I need to have braces for abbreviated field names. For example, let's say I have an array of structures like the following:

typedef struct _person { int height; int age; } person;
typedef struct _people { int number; person[10]; int dummy; } people;

When I dissect the people structure, I'd like to be able to use the following filters in wireshark:

"people.person[0].height"
"people.person[1].height"
...
"people.person[9].height"

When I declare the hf_register_info, If I use brackets for the abbreviated names, Wireshark crashes.

The documentation README.dissector only talks about spaces:

FIELDABBREV     The abbreviated name for the header field. (NO SPACES)

asked 23 Feb '16, 10:16

_michel's gravatar image

_michel
11346
accept rate: 0%

2 Answers:

1

Wireshark does not allow that character in field abbreviations. If you're running Wireshark from the command line (on UNIX-like systems; I think on Windows you need to enable console or something) you'd see Wireshark's complaint which would look like:

Invalid character '[' in filter name '<your abbrevation>'

The doc you quoted is incomplete: the allowed characters are alphanumerics, '-', '_', and '." (see the proto.c source). I'll try to push a change to fix that.

answered 23 Feb '16, 13:21

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Submitted the documentation change.

(23 Feb '16, 14:24) JeffMorriss ♦

OK, I'm quite new to Wireshark so I trusted the documentation with my life ! :D

(23 Feb '16, 23:46) _michel

OK, I'm quite new to Wireshark so I trusted the documentation with my life ! :D

Don't do that. :-) If you're going to trust something with your life, use the source, Luke. :-)

(25 Feb '16, 16:13) JeffMorriss ♦

0

I'd like to be able to use the following filters in wireshark

The right way to do that would be to have Wireshark support the notion of a field being an array; you might want to submit an enhancement request on the Wireshark Bugzilla .

answered 23 Feb '16, 15:10

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Well, before going that route, is there really a need to know that people.person[1].height has a particular value? Typically in this type of scenario Wireshark would have one field: people.person.height. But it would have multiple instances of that field in a given PDU (in your case, up to 10 of them).

IOW, do you need to be able to use a filter that says that person #1 has height of X (as opposed to a filter that asks if any person has a height of X)?

(23 Feb '16, 16:44) JeffMorriss ♦

can you give an example of the filter "that asks if any person has a height of X" ?

(23 Feb '16, 23:47) _michel

people.person.height == X

(24 Feb '16, 00:04) Guy Harris ♦♦

oh ok, ... but nope :D I'm interested in being able to filter each field individually. I am also interested in plotting specific numeric fields against time (or against another field), but I guess it's not available right now. I think this could be a great feature. Imagine that you are monitoring a (or many) motors controller and this/these controller/s send periodically/or not a timestamp and rotation speed over the network. Wouldn't be great to have graphs for this ? But well, this is another subject.

(24 Feb '16, 01:06) _michel

For completeness (I know it's obvious but...) today this is done by creating 10 filters per object (person): people.person0.height, etc. The enhancement Guy suggests would (possibly significantly) reduce this number.

(25 Feb '16, 16:11) JeffMorriss ♦