This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Column with arbitrary located byte in a packet

1
1

How it is possible to create a "Custom" column which refers to an arbitrary offset in UDP payload. For example, in "Filter definition" it is possible to reffer to the 1st byte in UDP payload as udp[8]. Such simple approach seems to be blocked in Packet Display Plain. What am I missing?

asked 26 Oct '11, 07:18

exbungee's gravatar image

exbungee
16234
accept rate: 0%

edited 26 Oct '11, 07:37

2 Answers:

1

This is (currently) not possible with Wireshark, although you might be able to do this with the Lua scripting engine that is part of Wireshark.

answered 08 Nov '11, 03:07

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 08 Nov '11, 06:00

helloworld's gravatar image

helloworld
3.1k42041

Thanks. Is it possible to add an example. Please assume that the documented method to add LUA file is known.

(09 Nov '11, 12:04) exbungee
1

is it still not possible?

(29 Jan '14, 03:35) Daniil Kharkov

0

"use the Code, Luk"
add the Custom "udp_dump.data" column in Preferences/Columns and tweak protocol port and byte offset in Preferences/Protocol/UDP_DUMP. Upvote! =)

do
        local udp_dumper_proto = Proto("udp_dump", "UDP dumper");

    udp_dumper_proto.prefs.ofs = Pref.uint( "udp_dump_ofs", 1, "UDP data byte offset" )
    udp_dumper_proto.prefs.port   = Pref.uint( "udp_dump_port", 53, "UDP port" )

    udp_dumper_proto.fields.dump   = ProtoField.uint8("udp_dump.data", "a dump of byte", base.HEX)

    local prev_proto
    local f_udp    = Field.new("udp")

    function udp_dumper_proto.dissector(tvb, pinfo, tree)
        pcall(function()prev_proto:call(tvb, pinfo, tree)end)

        if not f_udp() then return end

        local ofs = udp_dumper_proto.prefs.ofs -- udp_dumper_proto.prefs.filter
        if (tvb:len() < ofs) then return end

        -- this is just to add text to "udp_dump.data" field, 
        -- which you should display as column.
        -- as an alternate, you may remove set_hidden() and view selected data in the treeview
        tree:add(udp_dumper_proto.fields.dump, tvb(ofs,1)):set_hidden();
    end

    -- if we hook upon UDP port, then offset will mean the beginning of the UDP data
    udp_table = DissectorTable.get("udp.port")
    prev_proto = udp_table:get_dissector(udp_dumper_proto.prefs.port)
    udp_table:add(udp_dumper_proto.prefs.port, udp_dumper_proto)

    -- if we hook as post dissector, the offset will be from start of the frame. 
    -- don't forget to remove the prev_proto call if you'll use that kind of hook



–        register_postdissector(udp_dumper_proto)
end

answered 09 Nov ‘11, 18:06

ShomeaX's gravatar image

ShomeaX
736
accept rate: 0%

edited 09 Nov ‘11, 18:08

Short and cool! Really thanks! Just for clarity: on my WS (Rel 1.7.xx) it creates the following stack Protocols in frame: eth:vlan:ip:udp:udp_dump:dns I expected “udp_dump” to be the last item on the stack. Any way to get rid of “dns”?

(10 Nov ‘11, 02:16) exbungee