Hello. I have written a dissector for a subset of a protocol called TC that has two subfields. Let's call this implementation "TC_Subset" and the two fields the Primary and Segment fields. I would like the wireshark display for the dissection to look like the below, where > and V indicate collapsed and expanded trees, respectively;

> Frame 1
V TC_Subset


Unfortunately, it currently looks like this:

>Frame 1
V TC_Subset
> TC_Subset
> TC_Subset


I think I know why, but I don't know how to fix it. I'll start by showing the relevant areas of code and point out where I think the issue is. I believe it's from a combination of things in the dissect_ and register_ methods.

## "dissect_tc" excerpt

static int
dissect_tc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
//OFFSET IS IN OCTETS
int          offset          = 0;
proto_item  *tc_packet;
proto_tree  *tc_tree      = NULL;
...additional set up and definitions of things like length, etc...

/* Set up the base tree */
tc_packet = proto_tree_add_item(tree, proto_tc_subset, tvb, 0, length, ENC_BIG_ENDIAN);

/* build primary header tree */
...program tree accordingly...

/* build segment header tree */
...rest of method, not related to the problem...


Next, let's look at a small section of register_tc.

## "register_tc" excerpt

void
proto_register_tc(void)
{
static hf_register_info hf[] = ...define all fields for both headers in this one array...

/* Setup protocol subtree array */
static gint *ett[] = {
&ett_tc,
};

...

/* Register the protocol name and description */
proto_tc_subset = proto_register_protocol("TC_Subset", "TC_Subset", "tc_subset");

/* Required function calls to register the header fields and subtrees used */
proto_register_field_array(proto_tc_subset, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));


Note that in the definition of the primary header and segment header variable, I'm passing in "proto_tc_subset" both times. That's where the label is coming from. I think I need to pass in something else there in order to get the label to be what I'd like to see instead of just repeating "TC_Subset", but I'm not sure how to define such a thing.

edit retag close merge delete

Sort by » oldest newest most voted

These calls primary_header = proto_tree_add_item(tc_tree, proto_tc_subset, tvb, offset, TC_PRIMARY_HEADER_LENGTH, ENC_NA); need to have proto_tc_subset replaced.

See the packet-PROTOABBREV.c file in the doc folder of the sources. There hf_PROTOABBREV_FIELDABBREV is used.

more

Will look at this again, thanks. Will update once I've had some time to go over the file.

( 2020-08-12 19:27:45 +0000 )edit

@Jaap

So based on that file I've tried several options, but nothing seems to be exactly what I'm looking for, though some come close.

Following the protoabbrev example, the fields that are given are FT_FIELDTYPE, FIELDDISPLAY, FIELDCONFVERT, BITMASK, "FIELDDESCR", and HFILL.

Let FT_FIELDTYPE = X and FIELDDISPLAY = Y. I left FIELDCONVERT as NULL, BITMASK is 0x0, FIELDDESCR is NULL, and HFILL is still HFILL.

For various values of X and Y, I either get something very close to what I wanted, or a crash whenever I try to boot wireshark. The closest so far has been:

X = FT_STRING,
Y = BASE_ASCII


This almost gets me the labels I want, but they come out as labels with values:

Primary Header: 0\b



I thought that something like

X = FT_CHAR,
Y = BASE_NONE


might be it, but that causes wireshark to fail to load due to throwing an exception ...(more)

( 2020-08-14 15:37:26 +0000 )edit

Figured it out.

( 2020-08-17 21:02:00 +0000 )edit

Figured it out by looking at PROTOABBREV.c again and trying several combinations.

You'll want to add a declaration to the static hf_register_info hf[] array that contains the following fields, with the fields containing "example" replaced.

{&example_handle_name,
FT_NONE, BASE_NONE, NULL, 0x0, "Example Name or Description", HFILL}
},


So for the requested example, it would look something like this:

{&hf_tc_ph_name,
FT_NONE, BASE_NONE, NULL, 0x0,
},


and similarly define one for segment header.

Then replace the proto_tc_subset with the name you set for these specific fields.

more

You should probably use FT_NONE for those fields; FT_PROTOCOL is only intended for protocols, such as TC_SUBSET.

( 2020-08-18 00:58:35 +0000 )edit

Thanks! Updated answer to reflect that.

( 2020-08-18 16:50:30 +0000 )edit