This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

My task is to learn about Wireshark dissectors, so that my team can in general be able to translate hexadecimal digits to engineering digits in Wireshark. My guess is we should think about translating raw data, message data, and data captures (maybe even dumps) in Wireshark output. (I don't know what plugins we be will be using!)

What can you tell me? Do I have to use a dissector to translate hex to engineering units? Is there some sore of GUI Wireshark option I can set? Is there a file I can change?

Does someone have a complete and easy setup dissector to do this already? What are my options? What is the easiest dissector product to use? Also, what is the best product to use? Whatever my team decides to choose, what will be my limitations? What are problems with doing this?

(Note: I've watched a TSN.1 dissector video on YouTube, but I know nothing about what will be installed with whatever version of Wireshark that our team decides to use.)

Has the process of generating engineering units changed in the last decade?

On the Internet, I found only one article related to this problem. The article title is below, but it didn't tell me anything. It lack inituition. The article only talks about using a custom dissector. Wireshark Topic: How to decode and display as ASCII?

Finally, if you have an answer for me and my team can you explain it to me in a step by step way with baby steps. I.E.: Can you share with me exactly what the first step, second step, third step, upto the nth step is, in as much detail as possible.

I've never worked with Wireshark before beyond a few good videos at www rti com.

Thank you, Mike

asked 01 Sep, 05:08

Mike123456's gravatar image

Mike123456
16235
accept rate: 0%

converted 01 Sep, 05:13

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335195

1

What do you mean by "engineering digits" and "engineering units"?

(01 Sep, 05:13) Guy Harris ♦♦

I went back to my team to answer your question!

I'll explain to you what my team wants accomplished. By doing that I will explain to you what engineering data units we want. Simply, all we want are 3 "on" and "off" values and 2 integer values.

Caveat: I'm using all make believe data from a Wireshark Captured data. My team doesn't want me to publish actual data.

(1) Captured Wireshark data from three areas of Wireshark:

No. Time     Source    Destination   Protocol Length Info
8   0.055974 192.2.4.8 240.199.089.0 UDP      60     53016->53016 Len=4

Message:

Data (4 bytes)
      Data: 2043c0bd
      [Length: 4]

Raw Data:

20   43   c0   bd

(2) My explanation of the above hexadecimal data:

Byte 1:  20
Byte 2:  43
Byte 3:  c0
Byte 4:  bd

Above byte 1 has only 3 bits (above right 3 bits) that have to be translated to "on" or "off" values. I.E.: We want to see "on" or "off" instead of "1" and "0." The other bits (above left 5 bits) can be ignored and not shown at all in the message window. They'll still be visible in the raw data. The 3 right bits represent 3 separate switches.

Above bytes 2 through 4 have two integer values from -127 to 127. Again some of the bits will not be used and can be ignored and not shown at all in the message window. They'll still be visible in the raw data. The bits that makeup the two integer values are distributed in the 3 above bytes and are not consecutive. Here is the actual placement of the 16 bits that makeup the two integer values between -127 to 127. These two integer values represent a single joystick which can be moved left or right from a resting position.

0   1    0    0   X7   X6   Y7   Y6
1   1   X5   X4   X3   X2   X1   X0
1   0   Y5   Y4   Y3   Y2   Y1   Y1

So, my team wants me to pick out the above bits to create and display two integer values.

X7  X6  X5  X4  X3  X2  X1  X0  Equals some value from -127 to 127
Y7  Y6  Y5  Y4  Y3  Y2  Y1  Y0  Equals some value from -127 to 127

FYI: This is only my preliminary initial task. I.E.: This is the first message that my team wants me to create a dissector for. There are other messages that I will be given later to work on and display in a nice way.

(05 Sep, 10:41) Mike123456

By "left" and "right", as in "left 5 bits" and "right 3 bits", do you mean "upper" and "lower", so that the high-order bit, and the 4 bits below it, are the "left 5 bits", and the 3 bits below that, going down to the low-order bit, are the "right 3 bits", so that, for 0x20, which is 00100000 in binary, the "left 5 bits" are "00100", and the "right 3 bits" are "000", and all 3 bits are "off", and the "00100" can be ignored?

(05 Sep, 18:12) Guy Harris ♦♦

Yes, that is exactly what my team tells me to implement.

(06 Sep, 04:26) Mike123456

This can (almost) all be achieved by using so called header fields. When you study dissector development (see README.dissector) you'll come across these.

Further discussion would probably be appropriate on the Wireshark Developers mailing list since this is not a forum, but a Q&A site.

permanent link

answered 07 Sep, 03:04

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×23

question asked: 01 Sep, 05:08

question was seen: 447 times

last updated: 07 Sep, 06:28

p​o​w​e​r​e​d by O​S​Q​A