Ask Your Question
0

Dissector Header Labels

asked 2020-08-12 16:53:51 +0000

dmanderson gravatar image

Hello. I have written a dissector for a subset of a protocol called TC that has two subfields. Let's call this implementation "TC_Subset" and the two fields the Primary and Segment fields. I would like the wireshark display for the dissection to look like the below, where > and V indicate collapsed and expanded trees, respectively;

> Frame 1
V TC_Subset
  > Primary Header
  > Segment Header

Unfortunately, it currently looks like this:

>Frame 1
V TC_Subset
   > TC_Subset
   > TC_Subset

I think I know why, but I don't know how to fix it. I'll start by showing the relevant areas of code and point out where I think the issue is. I believe it's from a combination of things in the dissect_ and register_ methods.

"dissect_tc" excerpt

static int
dissect_tc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
    //OFFSET IS IN OCTETS
    int          offset          = 0;
    proto_item  *tc_packet;
    proto_tree  *tc_tree      = NULL;
    proto_item  *primary_header  = NULL;
    proto_tree  *primary_header_tree;
    proto_item  *segment_header = NULL;
    proto_tree  *segment_header_tree;
    ...additional set up and definitions of things like length, etc...

    /* Set up the base tree */
    tc_packet = proto_tree_add_item(tree, proto_tc_subset, tvb, 0, length, ENC_BIG_ENDIAN);
    tc_tree   = proto_item_add_subtree(tc_packet, ett_tc);

    /* build primary header tree */
    primary_header = proto_tree_add_item(tc_tree, proto_tc_subset, tvb, offset, TC_PRIMARY_HEADER_LENGTH, ENC_NA);
    primary_header_tree = proto_item_add_subtree(primary_header, ett_tc_primary_header);
    ...program tree accordingly...

    /* build segment header tree */ 
    segment_header=proto_tree_add_item(tc_tree, proto_tc_subset, tvb, offset, TC_SEGMENT_HEADER_LENGTH, ENC_NA);
    segment_header_tree=proto_item_add_subtree(segment_header, ett_tc_segment_header);
    ...rest of method, not related to the problem...

Next, let's look at a small section of register_tc.

"register_tc" excerpt

void
proto_register_tc(void)
{
    static hf_register_info hf[] = ...define all fields for both headers in this one array...

    /* Setup protocol subtree array */
    static gint *ett[] = {
        &ett_tc,
        &ett_tc_primary_header,
        &ett_tc_segment_header
    };

    ...

    /* Register the protocol name and description */
    proto_tc_subset = proto_register_protocol("TC_Subset", "TC_Subset", "tc_subset");

    /* Required function calls to register the header fields and subtrees used */
    proto_register_field_array(proto_tc_subset, hf, array_length(hf));
    proto_register_subtree_array(ett, array_length(ett));

Note that in the definition of the primary header and segment header variable, I'm passing in "proto_tc_subset" both times. That's where the label is coming from. I think I need to pass in something else there in order to get the label to be what I'd like to see instead of just repeating "TC_Subset", but I'm not sure how to define such a thing.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2020-08-12 17:38:41 +0000

Jaap gravatar image

These calls primary_header = proto_tree_add_item(tc_tree, proto_tc_subset, tvb, offset, TC_PRIMARY_HEADER_LENGTH, ENC_NA); need to have proto_tc_subset replaced.

See the packet-PROTOABBREV.c file in the doc folder of the sources. There hf_PROTOABBREV_FIELDABBREV is used.

edit flag offensive delete link more

Comments

Will look at this again, thanks. Will update once I've had some time to go over the file.

dmanderson gravatar imagedmanderson ( 2020-08-12 19:27:45 +0000 )edit

@Jaap

So based on that file I've tried several options, but nothing seems to be exactly what I'm looking for, though some come close.

Following the protoabbrev example, the fields that are given are FT_FIELDTYPE, FIELDDISPLAY, FIELDCONFVERT, BITMASK, "FIELDDESCR", and HFILL.

Let FT_FIELDTYPE = X and FIELDDISPLAY = Y. I left FIELDCONVERT as NULL, BITMASK is 0x0, FIELDDESCR is NULL, and HFILL is still HFILL.

For various values of X and Y, I either get something very close to what I wanted, or a crash whenever I try to boot wireshark. The closest so far has been:

X = FT_STRING,
Y = BASE_ASCII

This almost gets me the labels I want, but they come out as labels with values:

Primary Header: 0\b

Segment Header: <unknown character>

I thought that something like

X = FT_CHAR,
Y = BASE_NONE

might be it, but that causes wireshark to fail to load due to throwing an exception ...(more)

dmanderson gravatar imagedmanderson ( 2020-08-14 15:37:26 +0000 )edit

Figured it out.

dmanderson gravatar imagedmanderson ( 2020-08-17 21:02:00 +0000 )edit
0

answered 2020-08-17 21:01:36 +0000

dmanderson gravatar image

updated 2020-08-18 16:51:07 +0000

Figured it out by looking at PROTOABBREV.c again and trying several combinations.

You'll want to add a declaration to the static hf_register_info hf[] array that contains the following fields, with the fields containing "example" replaced.

{&example_handle_name,
   { "Example Header Name",   "protocol.example_header_name",
     FT_NONE, BASE_NONE, NULL, 0x0, "Example Name or Description", HFILL}
},

So for the requested example, it would look something like this:

{&hf_tc_ph_name,
   {"Primary Header", "tc.primary_name",
    FT_NONE, BASE_NONE, NULL, 0x0,
    "Primary Header", HFILL }
},

and similarly define one for segment header.

Then replace the proto_tc_subset with the name you set for these specific fields.

edit flag offensive delete link more

Comments

You should probably use FT_NONE for those fields; FT_PROTOCOL is only intended for protocols, such as TC_SUBSET.

Guy Harris gravatar imageGuy Harris ( 2020-08-18 00:58:35 +0000 )edit

Thanks! Updated answer to reflect that.

dmanderson gravatar imagedmanderson ( 2020-08-18 16:50:30 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-08-12 16:53:51 +0000

Seen: 456 times

Last updated: Aug 18 '20