This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Column with arbitrary located byte in a packet

1
1

How it is possible to create a "Custom" column which refers to an arbitrary offset in UDP payload. For example, in "Filter definition" it is possible to reffer to the 1st byte in UDP payload as udp[8]. Such simple approach seems to be blocked in Packet Display Plain. What am I missing?

asked 26 Oct '11, 07:18

exbungee's gravatar image

exbungee
16234
accept rate: 0%

edited 26 Oct '11, 07:37

2 Answers:
active answersoldest answersnewest answerspopular answers
1

This is (currently) not possible with Wireshark, although you might be able to do this with the Lua scripting engine that is part of Wireshark.

permanent link

answered 08 Nov '11, 03:07

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 08 Nov '11, 06:00

helloworld's gravatar image

helloworld
3.1k42041

Thanks. Is it possible to add an example. Please assume that the documented method to add LUA file is known.

(09 Nov '11, 12:04) exbungee
1

is it still not possible?

(29 Jan '14, 03:35) Daniil Kharkov
0

"use the Code, Luk"
add the Custom "udp_dump.data" column in Preferences/Columns and tweak protocol port and byte offset in Preferences/Protocol/UDP_DUMP. Upvote! =)

do
        local udp_dumper_proto = Proto("udp_dump", "UDP dumper");

        udp_dumper_proto.prefs.ofs = Pref.uint( "udp_dump_ofs", 1, "UDP data byte offset" )
        udp_dumper_proto.prefs.port   = Pref.uint( "udp_dump_port", 53, "UDP port" )

        udp_dumper_proto.fields.dump   = ProtoField.uint8("udp_dump.data", "a dump of byte", base.HEX)

        local prev_proto
        local f_udp    = Field.new("udp")

        function udp_dumper_proto.dissector(tvb, pinfo, tree)
            pcall(function()prev_proto:call(tvb, pinfo, tree)end)

            if not f_udp() then return end

            local ofs = udp_dumper_proto.prefs.ofs -- udp_dumper_proto.prefs.filter
            if (tvb:len() < ofs) then return end

            -- this is just to add text to "udp_dump.data" field, 
            -- which you should display as column.
            -- as an alternate, you may remove set_hidden() and view selected data in the treeview
            tree:add(udp_dumper_proto.fields.dump, tvb(ofs,1)):set_hidden();
        end

        -- if we hook upon UDP port, then offset will mean the beginning of the UDP data
        udp_table = DissectorTable.get("udp.port")
        prev_proto = udp_table:get_dissector(udp_dumper_proto.prefs.port)
        udp_table:add(udp_dumper_proto.prefs.port, udp_dumper_proto)

        -- if we hook as post dissector, the offset will be from start of the frame. 
        -- don't forget to remove the prev_proto call if you'll use that kind of hook
--        register_postdissector(udp_dumper_proto)
end
permanent link

answered 09 Nov '11, 18:06

ShomeaX's gravatar image

ShomeaX
736
accept rate: 0%

edited 09 Nov '11, 18:08

Short and cool! Really thanks! Just for clarity: on my WS (Rel 1.7.xx) it creates the following stack Protocols in frame: eth:vlan:ip:udp:udp_dump:dns I expected "udp_dump" to be the last item on the stack. Any way to get rid of "dns"?

(10 Nov '11, 02:16) exbungee
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×29
×13

question asked: 26 Oct '11, 07:18

question was seen: 6,138 times

last updated: 29 Jan '14, 03:39

Related questions

Offset into ethernet packets

SSID Displayed in Column

Filtering out Specific lines that contain Specific Information in the Information Column

[Lua] bytes consumed during dissection

Info column auto-wrapping

Add a Time/New Ip Column into Endpoints.?

How to determine offset filter?

adding frame.coloring_rule.name as column to packet list

How to display Packet List column header 'info'

filter for partial IP address

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A