This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packet data in wireshark not highlighted on click using my custom dissector

1

I am writing a dissector in Lua for a custom binary protocol. I have defined three field types:

f.field1 = ProtoField.bytes("myproto.field1","Field 1",base.HEX)
f.field2 = ProtoField.uint16("myproto.field2","Field 2",base.HEX)
f.field3 = ProtoField.bytes("myproto.field3","Field 3",base.HEX)

These fields are added to the tree like this:

subtree:add(f.field1,buf(offset,4))
offset = offset + 4
val2 = buf(offset,2):uint()

– some logic around populating f2_description omitted
offset = offset + 2
subtree:add(f.field2, val2):append_text(" (" ..f2_description ..")")
subtree:add(f.field3, buf(offset,2))


Now, when I open Wireshark and click on “Field 1” or “Field 3” in the dissected packet’s tree, I see that the selected data is highlighted in the raw packet hex view (bottom most panel):

packet contents highlighted


but it is not the case for Field2.

alt text


What am I doing wrong?

asked 13 Feb ‘12, 13:02

Konrads's gravatar image

Konrads
21114
accept rate: 0%

edited 13 Feb ‘12, 17:33

helloworld's gravatar image

helloworld
3.1k42041

One Answer:

3

The problem is you're passing in val2 (an integer) when you really want to pass in buf(offset,2), which is a TvbRange. TreeItem requires the TvbRange in order to highlight the corresponding bytes in the Packet Details Pane.

Something like this would work the way you want:

subtree:add(f.field1,buf(offset,4))
offset = offset + 4
val2 = buf(offset+4,2):uint()
-- some logic around populating f2_description omitted
offset = offset + 2
subtree:add(f.field2, val2 buf(offset+4,2)):append_text(" (" ..f2_description ..")")
subtree:add(f.field3, buf(offset+6,2))

answered 13 Feb '12, 18:12

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

edited 13 Feb '12, 19:52

Thanks! it works!

(14 Feb '12, 00:07) Konrads