This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to convert the user-defined item in hr_tree to a human-readable format

0

I created two items (stamp1 and stamp2 in hr_tree) to label special useful bytes with the following line of code in packet-eth.c:

proto_tree_add_item(fh_tree, vtime_id, trailer_tvb, (trailer_length - 8), 8, FALSE);

Here's the decoding with the items added:

Frame 1: 69 bytes on wire (552 bits), 69 bytes captured (552 bits)
Ethernet II, Src: JuniperN_17:d0:85 (00:05:85:17:d0:85), Dst: Cisco_ef:fd:00 (00:1b:0d:ef:fd:00)
    Destination: Cisco_ef:fd:00 (00:1b:0d:ef:fd:00)
    Source: JuniperN_17:d0:85 (00:05:85:17:d0:85)
    Type: IP (0x0800)
    stamp1: 4e64885133d37df8
    stamp2: 04
    Trailer: 000000000000
Internet Protocol Version 4, Src: 111.72.163.42 (111.72.163.42), Dst: 219.141.191.132 (219.141.191.132)
Transmission Control Protocol, Src Port: 61294 (61294), Dst Port: https (443), Seq: 1, Ack: 1, Len: 0
    Source port: 61294 (61294)
    Destination port: https (443)
    [Stream index: 0]
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
    Window size value: 64860
    [Calculated window size: 64860]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x1541 [validation disabled]

But stamp1 is in hex format, which is difficult to understand. I want it in a human-readable format, such as epoch time, instead of the hex string. I've no idea how to do this. Please advise.

asked 04 Oct '11, 05:26

Sam's gravatar image

Sam
517914
accept rate: 0%

edited 05 Oct '11, 07:13

helloworld's gravatar image

helloworld
3.1k42041

How have you added your stamp1 and stamp2 fields? Can you post the code changes?

(04 Oct '11, 06:05) multipleinte...

Sure, please see below key code:

*proto_tree_add_item(fh_tree, stamp1_id, trailer_tvb, (trailer_length - 9), 8, FALSE);

proto_tree_add_item(fh_tree, stamp2_id, trailer_tvb, (trailer_length - 1), 1, FALSE);*

In addtion, the below elements need be added:

*{ &hf_eth_stamp1,

{ "stamp1", "eth.stamp1", FT_BYTES, BASE_NONE, NULL, 0x0, "Ethernet stamp1", HFILL }},

{ &hf_eth_stamp2,

{ "stamp2", "eth.stamp2", FT_BYTES, BASE_NONE, NULL, 0x0, "Ethernet stamp2", HFILL }}*

(04 Oct '11, 06:26) Sam

Btw, Which files include the Epoch time convert function, it maybe useful, I can try it.

(04 Oct '11, 06:33) Sam

2 Answers:

2

If I understand you correctly, you can accomplish what you want with something like this:

{ &hf_eth_stamp1,
{ "stamp1", "eth.stamp1", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0, "Ethernet stamp1", HFILL }},

Note the different ftype and display base; these allow you to have the Wireshark back end do most of the heavy lifting. Then, in your proto_dissect_* function:

proto_tree_add_item(fh_tree, stamp1_id, trailer_tvb, (trailer_length - 9), 8, ENC_BIG_ENDIAN | ENC_TIME_TIMESPEC);

Note here that the endianness and time encoding are specified; currently, these will evaluate to 0 (FALSE), but if they change in the future, this scheme will keep your dissector from breaking as it is used internally. Finally, as Jaap mentioned in his answer, you should look into the provided documentation for hints on how to accomplish what you want. I will leave stamp2 to you.

answered 04 Oct '11, 09:21

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

It works follow your code, thank you very much, Multipleinterfaces.

Sam

(04 Oct '11, 09:54) Sam

If it works, then the thing to do now is to accept the answer so this question is no longer listed as unanswered.

(04 Oct '11, 17:31) cmaynard ♦♦

Ok, but how to take out it from the unansered list? I check the FAQ but no any related instructions described.

(05 Oct '11, 03:42) Sam

Mark the answer as accepted by clicking the icon next to it (I think it's a check mark.

(05 Oct '11, 03:59) grahamb ♦

Okay, thanks.

(05 Oct '11, 05:17) Sam

0

Read up on FT_BYTES and companions in doc/README.developer.

answered 04 Oct '11, 07:50

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%