This is our old Q&A Site. Please post any new questions and answers at

I need to have braces for abbreviated field names. For example, let's say I have an array of structures like the following:

typedef struct _person { int height; int age; } person;
typedef struct _people { int number; person[10]; int dummy; } people;

When I dissect the people structure, I'd like to be able to use the following filters in wireshark:


When I declare the hf_register_info, If I use brackets for the abbreviated names, Wireshark crashes.

The documentation README.dissector only talks about spaces:

FIELDABBREV     The abbreviated name for the header field. (NO SPACES)

asked 23 Feb '16, 10:16

_michel's gravatar image

accept rate: 0%

Wireshark does not allow that character in field abbreviations. If you're running Wireshark from the command line (on UNIX-like systems; I think on Windows you need to enable console or something) you'd see Wireshark's complaint which would look like:

Invalid character '[' in filter name '<your abbrevation>'

The doc you quoted is incomplete: the allowed characters are alphanumerics, '-', '_', and '." (see the proto.c source). I'll try to push a change to fix that.

permanent link

answered 23 Feb '16, 13:21

JeffMorriss's gravatar image

JeffMorriss ♦
accept rate: 27%

Submitted the documentation change.

(23 Feb '16, 14:24) JeffMorriss ♦

OK, I'm quite new to Wireshark so I trusted the documentation with my life ! :D

(23 Feb '16, 23:46) _michel

OK, I'm quite new to Wireshark so I trusted the documentation with my life ! :D

Don't do that. :-) If you're going to trust something with your life, use the source, Luke. :-)

(25 Feb '16, 16:13) JeffMorriss ♦

I'd like to be able to use the following filters in wireshark

The right way to do that would be to have Wireshark support the notion of a field being an array; you might want to submit an enhancement request on the Wireshark Bugzilla .

permanent link

answered 23 Feb '16, 15:10

Guy%20Harris's gravatar image

Guy Harris ♦♦
accept rate: 19%

Well, before going that route, is there really a need to know that people.person[1].height has a particular value? Typically in this type of scenario Wireshark would have one field: people.person.height. But it would have multiple instances of that field in a given PDU (in your case, up to 10 of them).

IOW, do you need to be able to use a filter that says that person #1 has height of X (as opposed to a filter that asks if any person has a height of X)?

(23 Feb '16, 16:44) JeffMorriss ♦

can you give an example of the filter "that asks if any person has a height of X" ?

(23 Feb '16, 23:47) _michel

people.person.height == X

(24 Feb '16, 00:04) Guy Harris ♦♦

oh ok, ... but nope :D I'm interested in being able to filter each field individually. I am also interested in plotting specific numeric fields against time (or against another field), but I guess it's not available right now. I think this could be a great feature. Imagine that you are monitoring a (or many) motors controller and this/these controller/s send periodically/or not a timestamp and rotation speed over the network. Wouldn't be great to have graphs for this ? But well, this is another subject.

(24 Feb '16, 01:06) _michel

For completeness (I know it's obvious but...) today this is done by creating 10 filters per object (person): people.person0.height, etc. The enhancement Guy suggests would (possibly significantly) reduce this number.

(25 Feb '16, 16:11) JeffMorriss ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 23 Feb '16, 10:16

question was seen: 1,470 times

last updated: 25 Feb '16, 16:13

p​o​w​e​r​e​d by O​S​Q​A