Ask Your Question
0

Can wireshark display custom options from enhance packet block.

asked 2022-11-08 20:12:53 +0000

daved gravatar image

Hi,

I have a use case where custom options will be added to each EPB in a pcapng file.

Wireshark version 4.0.1 will display a comment option add to the block i.e. code = 1, but nothing is displayed when I use any of the custom option codes 2988/2989/19372/19373.

I am new to dissectors but could not find any way to add logic (via dissector or other) to allow the custom options to be parsed and displayed.

Maybe I have missed something obvious here.

Does wireshark support displaying custom options in a EPB out of the box?

If not, is there a plugin I can write to allow my custom option to be displayed, and more importantly, part of a filter, like the comment option can be.

Thanks in advance.

Dave.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-11-09 02:57:26 +0000

Chuckc gravatar image

updated 2022-11-09 03:29:47 +0000

Support for custom options is pretty recent (3431: pcapng: add support for custom options) and not very robust.

Seems you have a pretty clear idea of what your use would be so it's worth opening an enhancement request on the Wireshark Gitlab issues page.

Notes: There are sample captures here - pcapng-test-generator - that include custom blocks and custom options. The custom blocks are integrated into the Wireshark Packet List.
Note: the custom options are not formatted properly (don't include PEN).

pcapng-test-generator/output_be/difficult/test202.pcapng has custom blocks: image description

pcapng-test-generator/output_be/basic/test009.pcapng has a EPB with custom options.
View->Reload as File Format/Capture:

Block: Enhanced Packet Block 1
    Block Type: Enhanced Packet Block (0x00000006)
    Block Length: 500
    Block Data
        Interface: 0
        Timestamp (High): 312215
        Timestamp (Low): 1690978218
        [Timestamp: Jun 29, 2012 02:28:25.298858000 Central Daylight Time]
        Captured Length: 314
        Packet Length: 314
        Packet Data
        Packet Padding
        Options
            Option: Comment = test009-1
            Option: Flags
            Option: Drop Count = 0
            Option: Unknown
                Code: Unknown (2988)
                Length: 13
                Option Data
                Option Padding
            Option: Unknown
                Code: Unknown (2989)
                Length: 15
                Option Data
                Option Padding
            Option: Unknown
                Code: Unknown (19372)
                Length: 14
                Option Data
                Option Padding
            Option: Unknown
                Code: Unknown (19373)
                Length: 13
                Option Data
                Option Padding
            Option: Unknown
                Code: Unknown (291)
                Length: 12
                Option Data
            Option: Unknown
                Code: Unknown (33059)
                Length: 12
                Option Data
            Option: End of Options
    Block Length (trailer): 500

Debug logging to see custom options in capture file:

Downloads$ tshark -r ./test009.pcapng --log-level "debug" 2>&1 | grep -i "custom option"
 ** (tshark:8452) 20:59:55.722790 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x0bac with unknown pen 1629513313 with custom data of length 9
 ** (tshark:8452) 20:59:55.722856 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x0bad with unknown pen 1936682341 with custom data of length 11
 ** (tshark:8452) 20:59:55.722919 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x4bac with unknown pen 1836654694 with custom data of length 10
 ** (tshark:8452) 20:59:55.722982 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x4bad with unknown pen 1836654694 with custom data of length 9
 ** (tshark:8452) 20:59:55.724484 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x0bac with unknown pen 1629513313 with custom data of length 9
 ** (tshark:8452) 20:59:55.724544 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x0bad with unknown pen 1936682341 with custom data of length 11
 ** (tshark:8452) 20:59:55.724607 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x4bac with unknown pen 1836654694 with custom data of length 10
 ** (tshark:8452) 20:59:55.724666 [Wiretap DEBUG] C:\gitlab-builds\builds ...
(more)
edit flag offensive delete link more

Comments

Support for custom options is pretty recent (3431: pcapng: add support for custom options) and not very robust

...and reeeeeeeeeeeeeallly needs support for 1) wiretap plugins and 2) libwireshark plugins, so precisely zero source changes to core Wireshark are needed.

Guy Harris gravatar imageGuy Harris ( 2022-11-09 07:03:47 +0000 )edit

Thanks for the response Chuckc,

I have loaded the file and indeed I can see the options when I switch the view.

I'll create an enhancement request.

Thanks, Dave.

daved gravatar imagedaved ( 2022-11-09 09:50:53 +0000 )edit

Feature request created - https://gitlab.com/wireshark/wireshar...

daved gravatar imagedaved ( 2022-11-10 14:39:31 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-11-08 20:12:53 +0000

Seen: 217 times

Last updated: Nov 09 '22

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2