Ask Your Question

Get field value in tap listener plugin written in C language

asked 2018-01-08 10:21:24 +0000

Kery gravatar image

updated 2018-01-09 05:31:47 +0000

Guy Harris gravatar image


In the packet callback function of a tap listener plugin written in C language, I want to get various fields' value, such as ip.len.

From my understanding, after reading the source code of Wireshark, I firstly need to prime the fields that I need the value, and then call proto_get_finfo_ptr_array to get the field_infos in the packet callback function. But the function used to prime the field is declared as extern void proto_tree_prime_with_hfid, not WS_DLL_PUBLIC, this means that the function is not export by the DLL. So, this will lead to link error.

How to solve this problem? Is there any other way to get the fileds' value?

Update: I also use GPtrArray * proto_find_finfo(edt->tree, id) to try to get the field info for ip.len, the return value is not NULL, but the array length is 0. So, I also failed to extract the field values.

Update (2017-01-09): I found that the epan_dissect_prime_with_hfid is declared as WS_DLL_PUBLIC, which calls proto_tree_prime_with_hfid directly, so I can use this function instead. I have following code after my listener registered. Then I can get the filed info for ip.len, but it only for the first packet. Now, the problem is changed to why it only works for the first packet?

epan_dissect_t edt;
int id = proto_registrar_get_id_byname("ip.len");
// the edit->tree is an unused parameter
epan_dissect_prime_with_hfid(&edt, id);
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-01-09 06:07:41 +0000

Guy Harris gravatar image

Unfortunately, there's currently no way to do that; your tap has to request a full protocol tree, by using the TL_REQUIRES_PROTO_TREE flag, in order to get any fields. See, for example, the ui/cli/tap-iostat.c tap.

This should probably be fixed, by allowing a tap to request a particular set of fields. However, that won't happen until the next major release.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-01-08 10:21:24 +0000

Seen: 379 times

Last updated: Jan 09 '18