This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Grouping fields in a dissector

0

Hello,

I am writing a dissector in LUA and would like to group fields as per this image:

Header grouping in UDP dissector

How do I do it?

asked 03 May '16, 06:37

johnnymnemonic's gravatar image

johnnymnemonic
11113
accept rate: 0%


One Answer:

0

You would add a named subtree and items into it, as in this simplified excerpt from another dissector:

my_subtree=tree:add('User-Name dissection')
my_subtree:add(user,buffer:range(0,10))
my_subtree:add(host,buffer:range(11))

The result will then be

[-] User-Name dissection
      user_field_description: user_field_value
      host_field_description: host_field_value

answered 03 May '16, 06:54

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

@sindy - thanks, that works. However, wehn I click on such a field ("User-Name dissection" in your example) it doesn't highlight the range that the sub-fields cover.

(03 May '16, 10:00) johnnymnemonic

That's because the field in the original tree in my example is a text item.

As said, I've used a quote from a dissector I happened to have open in text editor. Like many other methods of the Lua API, treeitem:add can handle several variants of parameters (some of them even not documented at all places), so if you use just a text label as its single parameter, like I did at that place, there is nothing related to that text label in the packet data, so there is nothing to be highlighted in the raw data pane.

You may definitely declare another protocol field like "emailaddr" which spans the complete portion of the buffer, so the code above would then change to

my_subtree=tree:add(emailaddr,buffer:range(0))
my_subtree:add(user,buffer:range(0,10))
my_subtree:add(host,buffer:range(11))

and if emailaddr, user, host have been previously properly defined as protocol fields, like

local emailaddr = ProtoField.string("my_proto.e-mail","complete e-mail address")
local user = ProtoField.string("my_proto.e-mail.user","user part")
local host = ProtoField.string("my proto.e-mail.host","host part")
my_proto.fields = {emailaddr,user,host}

then clicking on any of the three items will highlight the corresponding bytes in the raw data pane.

To say it all, in my original dissector

  • the ranges for "user" and "host" parts are of course not defined statically like in the example; their sizes are determined by identifying the position of the @ symbol in the buffer,

  • I would rather omit the label-only line completely, because the equivalent of "emailaddr" field given above is already provided by lower layer dissector, but it is not possible as I do not have access to the pointer to that tree item so I cannot hook my items below it.

(03 May '16, 12:49) sindy