This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I add in one tree information field, the information of a subfield in lua?

0

For example : alt text In this picture the type "UPDATE Message" is also included in the Border Gateway Protocol tree description an it is a field below it.

asked 12 May '16, 04:01

javiguembe's gravatar image

javiguembe
21448
accept rate: 0%


One Answer:

1

Your screenshot is an example of taking an important (distinctive) value from the protocol data and using it as part of the subtree title. So algorithmically, you first parse the tvb at least until you get the value of such parameter (or, if it has a fixed format, fetch it directly from a known position), and only then you compose the description for the tree item at level N, use tree:add to apply that label and hook in a subtree, and then add the subtree items, including the parameter whose value you've already used for the subtree title.

But that seems so obvious to me that I'm afraid I've actually misunderstood what you've asked.

answered 15 May '16, 03:31

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

I have this to dissect BGP:

p_mybgp = Proto ("mybgp","MyBorder Gateway Protocol")

local BGP_types = { [1] = "OPEN message", [2] = "UPDATE message", [3] = "NOTIFICATION message", [4] = "KEEPALIVE message" } function p_mybgp.dissector (buf, pkt, root)

local f_marker = ProtoField.bytes("mybgp.marker", "Marker") local f_length_field = ProtoField.uint64("mybgp.length", "Length", base.DEC) local f_type = ProtoField.uint8("mybgp.type", "Type", base.DEC, BGP_types) local f_data = ProtoField.string("typroto.data", "Data", FT_STRING) local f_open_version = ProtoField.uint64("mybgp.version", "Version", base.DEC) local f_my_as = ProtoField.uint64("mybgp.myas", "My AS", base.DEC) local f_holdtime = ProtoField.uint64("mybgp.timehold","Hold Time",base.DEC) local f_bgp_id = ProtoField.ipv4("mybgp.bgpid","BGP Identifier")

if buf:len() == 0 then return end pkt.cols.protocol = p_mybgp.name –Ponemos el nombre a la columna –DESCRIPTION FIELDS: offset = 0 local subtree = root:add(p_mybgp, buf(offset)) <<<<< I want to add here type value subtree:add(f_marker, buf(offset,16)) offset = offset +16 subtree:add(f_length_field, buf(offset,2)) offset = offset +2 local type_value = buf(offset,1):uint() subtree:add(f_type,buf(offset,1)) offset = offset +1

My problem is that I don´t know how can I add syntactically in the same subtree 2 Protofields. Concatenating with “..” return error (obviusly?).

(16 May ‘16, 00:01) javiguembe
1

I’ve converted your previous post from an Answer to your original Question (which it clearly wasn’t) to a Comment to my Answer. See site FAQ for details.

To the subject:

My problem is that I don´t know how can I add syntactically in the same subtree 2 Protofields. Concatenating with “..” return error (obviusly?).

You’ve got it right: you cannot hook two distinct protocol fields (as ProtoField objects) as a single item to the tree.

But you can describe the tree item using only a reference to a tvb range (spanning even several protocol fields), extract the values from just some (even completely unrelated to that range) bytes of the tvb as text, and use that text as a label of that treeitem, which is what most likely what the original dissector does. So unless ProtoField has recently become a mandatory parameter of treeitem:add, the following should work:

local subtree = root:add(buf:range(0),"Message type: " .. BGP_types[buf(0,1):uint8])

Look here for details of the highly flexible syntax of treeitem:add.

(16 May ‘16, 01:55) sindy
1

See also section 11.7.1.5. treeitem:append_text(text). This allows you to append more information to the tree item so you don’t necessarily have to construct it all at once.

(16 May ‘16, 15:00) cmaynard ♦♦

Thanks sindy and cmaynard! Both methods works!

(27 Jun ‘16, 02:28) javiguembe