How to filter by item?

asked 2024-01-07 07:58:18 +0000

alexis
3 ●1 ●4

updated 2024-01-07 07:58:36 +0000

I developed a proprietary dissector and a packet contains several messages.

proto_body = proto_register_protocol("Body", "BODY", "body");

For each message, I add:

proto_item *ti_body = proto_tree_add_item(tree, proto_body, tvb, HEADER_SIZE, length-4, ENC_NA);
proto_tree *tree_body = proto_item_add_subtree(ti_body, ett_body);

Nevertheless, when I filter, it filters what a packet contain.

If each message has a name and family fields, doing body.name==alex and body.family==human, it will filter all the packets containing these 2 conditions, but not in the same item.

Let's say it would accept a packet with 2 messages:

[0]
name=marcus
family=human  --> condition OK
[1]
name=alex
family=cat  --> condition OK

But I want it to filter only if the conditions are true in a single message.

[0]
name=alex  --> condition OK
family=cat  --> condition OK

Regards,

edit retag flag offensive close merge delete

Comments

Thank you very much for you answers!

A frame can contain tens of "body" items, I'd be fine with a macro if I can make it more dynamic.

Or, is there a way to virtually duplicate/split a frame into several frames? I would split all the items into different frames and the filter would work. A bit in a way the packet reassembly works for TCP but opposite. I have a different parser for that but I'd like to keep one application, wireshark if possible.

Thanks!

alexis ( 2024-01-08 12:29:47 +0000 )edit

Are you open to adding some Lua code and a menu item for users to specify the search criteria?

I developed a proprietary dissector ...

Oops - you could just do it in your dissector code. Add a field (could be hidden) to each body for a search string that combines name and family (e.g. "alex|human"). Not pretty but probably quicker than experimenting with Chapter 12. MATE which may or may not be a possible solution.

Chuckc ( 2024-01-09 00:26:14 +0000 )edit

Thanks! This request is for a proprietary protocol but I might also contribute to other protocols in wireshark. Do you have a dissector name I can look at?

Adding a hidden field is also feasible for me! Good idea, thanks!

alexis ( 2024-01-10 01:54:10 +0000 )edit

packet-imap.c:

static int hf_imap_isrequest;
...
  hidden_item = proto_tree_add_boolean(imap_tree, hf_imap_isrequest, tvb, 0, 0, is_request);
  proto_item_set_hidden(hidden_item);

The Ultimate PCAP has imap packets.

Total displayed packets for imap.isrequest==1 and imap.isrequest==0 total to displayed for just imap.isrequest.

Examples of adding a string field:
packet-asterix-template.c:

proto_tree_add_string (parent, *field->part[i]->hf, tvb, offset_in_tvb, length_in_tvb, str_buffer);

packet-gsm_um.c:

proto_tree_add_string(gsm_um_tree, hf_gsm_um_direction, tvb, 0, 0, "Uplink");

file-file.c:

gchar* str = p_get_proto_name_and_key(wmem_file_scope(), pinfo, i);
proto_tree_add_string_format(fh_tree, hf_file_proto_name_and_key, tvb, 0, 0, str, "%s", str);

Chuckc ( 2024-01-10 02:54:10 +0000 )edit

Perfect! Thank you so much! That speeds up my implementation!

alexis ( 2024-01-12 06:46:58 +0000 )edit

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2024-01-08 07:21:10 +0000

Guy Harris
19890 ●3 ●659 ●207

But I want it to filter only if the conditions are true in a single message.

Unfortunately, the Wireshark filtering engine currently has no notion of "within a single message", so there's no way to do that.

edit flag offensive delete link

Comments

Too bad but it seems there is an alternative, thank you very much for you answer!

alexis ( 2024-01-10 01:51:43 +0000 )edit

add a comment

answered 2024-01-08 09:33:31 +0000

SYN-bit

18528 ●9 ●338 ●255 https://SYN-b.it

updated 2024-01-08 14:21:08 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

I'm not sure if this will work for the way your protocol adds the multiple messages to the tree, but if it does, the layer operator might come in handy. Of course that will only work if you have a limited amount of messages per packet. You could try the following:

(body.name[1]==alex and body.family[1]==human) or (body.name[2]==alex and body.family[2]==human) or (body.name[3]==alex and body.family[3]==human) or (body.name[4]==alex and body.family[4]==human)

You might want to make a display filter macro for it like

macro name: NameFamily
macro expression: (body.name[1]==$1 and body.family[1]==$2) or (body.name[2]==$1 and body.family[2]==$2) or (body.name[3]==$1 and body.family[3]==$2) or (body.name[4]==$1 and body.family[4]==$2)

So you can then use the display filter ${NameFamily:alex;human}

edit flag offensive delete link

Comments

Thank you very much for you answer!

A frame can contain tens of "body" items, I'd be fine with a macro if I can make it more dynamic.

alexis ( 2024-01-10 01:51:20 +0000 )edit

add a comment