This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

More detail in displaying information

0

hello,

so i create a wireshark plugin. So all works really nice the dissection works and looks good.

BUT

1.How is it possible to add right click filtering. I mean if i click the right mouse button there will be the possibility to chosse the option just packets of type 2, you understand? So i want have an entry in the drop down menu after right click that filter like the filter bar on top but just with one or two defined filter options by me.

  1. How is it possible to link packages. So in my protocol it is possible that pakets are split. so i have a final package number maybe ten and one variable that goes from 1 to 10 so i want have a link in the first package which can be followed to the next package of this stream part. Maybe how can i get a filter option on right click to view just pakets with the same id.

  2. how can i enable highlights of bad paket so in a way that they are sent a second time and that them will de displayed in black!

so plz help me! if you have a tut or a link to a doc for this plz reply!

This question is marked "community wiki".

asked 08 Aug '11, 07:52

Anthracis's gravatar image

Anthracis
1333
accept rate: 0%

edited 08 Aug '11, 21:51

helloworld's gravatar image

helloworld
3.1k42041

Sorry, I need help understanding the problem... Is the following correct?

You want the ability to filter for a particular stream within a reassembly protocol (e.g., TCP).

1) You want to prepare a display filter that shows all packets/segments of a stream, and this is preferably done by right-clicking the stream ID. As a secondary goal, you want to hyperlink all segments of a stream, such that you can easily traverse the stream by clicking the links.

2) You want to colorize retransmissions (of segments).

(08 Aug '11, 21:49) helloworld

so i already have an existing filter for a udp based protocol and it works. hyperlink you had understand correctly and colorizing also.

so in detail i have at the moment maybe 6000 frames of my protocol. So my boss shows me up that at tcp or something like this he could right click and than follow bla bla. Than just the frames were shown which are concat to this one which one he clicked from. all clear?

(09 Aug '11, 00:29) Anthracis

Ok, I see. For clarity's sake, by "filter", you really mean "dissector" (and they're not synonymous). In Wireshark, a filter is a string expression that tells Wireshark which packets to display or capture. A dissector parses binary data into discernible fields, which are added to the protocol tree (in the Packet Details pane).

(09 Aug '11, 19:55) helloworld

yeah, sorry i know i develop a dissector but every time i discribed it to others i have to they its a filter!

my mistake

(12 Aug '11, 12:31) Anthracis

2 Answers:

1

For the filtering question, as long as you didn't add your fields to the tree using proto_tree_add_text(), you should be able to right-click on your field in the packet details pane and choose one of several filtering options such as, "Apply as Filter -> Selected" or "Prepare a Filter -> Not Selected", etc.

answered 08 Aug '11, 11:29

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

how do you mean this, i think you mean something like bookmarking?

so in my filter i am using proto_tree_add_item and alll stuff declared in hf register array. so and for one or two specififc frame entries i want enable right click filter!

Thanks

(09 Aug '11, 00:32) Anthracis

1

Filtering by fields

As indicated by @cmaynard, you can set a display filter by right-clicking the field to be filtered on and choosing Prepare a Filter (or Apply as Filter). Experiment with their different sub-menu items.

The hyperlinks are actually FT_FRAMENUM fields. You'll have to modify your dissector to add those fields for each segment of a stream. Use the TCP dissector code as a basis.

Example: To setup a FT_FRAMENUM field:

{ &hf_tcp_analysis_duplicate_ack_frame,
{ "Duplicate to the ACK in frame",      "tcp.analysis.duplicate_ack_frame", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
    "This is a duplicate to the ACK in frame #", HFILL }},

Example: To add a field that links to the frame identified by ta->dupack_frame:

proto_tree_add_uint(tree, hf_tcp_analysis_duplicate_ack_frame,
                                       tvb, 0, 0, ta->dupack_frame);

Packet colorizing

If your dissector can detect retransmitted segments, then modify your dissector to add a generated field that marks those packets as duplicates (see example links above to see how TCP does it). Then from Wireshark, right-click the generated field from the Packet Details Pane, and choose "Colorize with Filter" (as shown in thumbnail below).

Colorize with filter

answered 09 Aug '11, 21:24

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

edited 12 Aug '11, 14:30

great thanks therefore, do u know how it works with other hyperlinks so for fragments? but i cannot use the tcp fragment number becaus of this isn´t realized in my package.

is it possible to define this fr my own dissector plugin or do i have to modify wireshark itselfs?

ONE MORE THING: WHAT ARE CONVERSATIONS FOR? I do not understand this in wireshark dev doc!

gr8 thx till now

(12 Aug '11, 12:35) Anthracis

Every packet/frame has a frame number, and it's independent of any protocol. It's simply an integer assigned to each frame in the order that they're detected. It starts at 1 and increments by 1 on every frame. You can get the frame number from packet_info by using PINFO_FD_NUM(pinfo). So, you don't have to modify Wireshark to get the frame numbers of your UDP packets.

(12 Aug '11, 14:31) helloworld

For your other question, see Conversations.

(12 Aug '11, 14:35) helloworld