This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Adding to tree

I am trying to build a dissector, and what I would like to do is extract pieces of data, perform some data manipulation (ie, logic, concatenating two separate sets of data together). After working on it some myself and looking at the documentation, it seems to me that the only way to add anything to a tree is the "proto_tree_add_item(tree, id, tvb, start, length, encoding)". Is there a different function I can use for my purposes? Or is it better for me to build this dissector in Lua (which from my understanding, will allow the functionality that I need)? I am new to building dissectors, so any help would be appreciated.

dissector tree proto_tree_add

asked 18 Oct '11, 09:32

JMalanga
1●1●1●1
accept rate: 0%

3 Answers:

1	Check out doc/README.developer. There is a multitude of proto_tree_add functions. And you should read the rest too.... answered 18 Oct '11, 09:56 Jaap ♦ 11.7k●16●101 accept rate: 14%

Any of the proto_tree_add_* functions can be used to add data to the tree, not just proto_tree_add_item. To "extract pieces of data" and then work with them, you can use the tvb_get_* functions (see epan/tvbuff.h).

For example, if you have a little-endian protocol with a two-byte field you want to examine, you could use tvb_get_letohs(tvb, offset).

The Lua interface, while powerful, typically lags behind the C interface feature-wise for a long time. Where possible, you should prefer to write production-level dissectors in C, anyway, so that you can leverage the full featureset that Wireshark offers.

answered 18 Oct '11, 10:03

multipleinte...
1.3k●15●23●40
accept rate: 12%

edited 18 Oct '11, 10:04

The Lua interface, while powerful, typically lags behind the C interface feature-wise for a long time.

That's true...the Lua API doesn't expose that much from C (but nobody has asked for it). The Lua API gets updated with a new feature mostly upon request. Someone has to see a need for it, or else it stays exactly where it is (and rightly so).

(18 Oct '11, 15:25) helloworld

Where possible, you should prefer to write production-level dissectors in C, anyway, so that you can leverage the full featureset that Wireshark offers

IMHO, it really depends on your requirements. If the Lua API provides everything you need (and you don't need the full feature set from C), then choose Lua. Sometimes, the path of least resistance is best. On the other hand, Lua might pose a language barrier for you (or maybe you know it already...it's similar to Python), in which case, it might be easier for you to go with C.

(18 Oct '11, 15:25) helloworld

Hope this helps Requirement : Get some packet bytes and manipulate them and add to tree to view in pane 2 Suggestion : use proto_tree_add_*(_tree, hf_type,tvb,OFFSET,size, var); "var" is what you actually display in pane ...offset will help in highlighting the corresponding bytes in pane3

based upon your requirement proto_tree_add_text() will suit you most as you can use printf like arguments

answered 18 Oct '11, 23:13

flashkicker
109●13●19●19
accept rate: 41%