Ask Your Question
0

How to filter by item?

asked 2024-01-07 07:58:18 +0000

alexis gravatar image

updated 2024-01-07 07:58:36 +0000

I developed a proprietary dissector and a packet contains several messages.

proto_body = proto_register_protocol("Body", "BODY", "body");

For each message, I add:

proto_item *ti_body = proto_tree_add_item(tree, proto_body, tvb, HEADER_SIZE, length-4, ENC_NA);
proto_tree *tree_body = proto_item_add_subtree(ti_body, ett_body);

Nevertheless, when I filter, it filters what a packet contain.

If each message has a name and family fields, doing body.name==alex and body.family==human, it will filter all the packets containing these 2 conditions, but not in the same item.

Let's say it would accept a packet with 2 messages:

[0]
name=marcus
family=human  --> condition OK
[1]
name=alex
family=cat  --> condition OK

But I want it to filter only if the conditions are true in a single message.

[0]
name=alex  --> condition OK
family=cat  --> condition OK

Regards,

edit retag flag offensive close merge delete

Comments

Thank you very much for you answers!

A frame can contain tens of "body" items, I'd be fine with a macro if I can make it more dynamic.

Or, is there a way to virtually duplicate/split a frame into several frames? I would split all the items into different frames and the filter would work. A bit in a way the packet reassembly works for TCP but opposite. I have a different parser for that but I'd like to keep one application, wireshark if possible.

Thanks!

alexis gravatar imagealexis ( 2024-01-08 12:29:47 +0000 )edit

Are you open to adding some Lua code and a menu item for users to specify the search criteria?

I developed a proprietary dissector ...


Oops - you could just do it in your dissector code. Add a field (could be hidden) to each body for a search string that combines name and family (e.g. "alex|human"). Not pretty but probably quicker than experimenting with Chapter 12. MATE which may or may not be a possible solution.

Chuckc gravatar imageChuckc ( 2024-01-09 00:26:14 +0000 )edit

Thanks! This request is for a proprietary protocol but I might also contribute to other protocols in wireshark. Do you have a dissector name I can look at?

Adding a hidden field is also feasible for me! Good idea, thanks!

alexis gravatar imagealexis ( 2024-01-10 01:54:10 +0000 )edit

packet-imap.c:

static int hf_imap_isrequest;
...
  hidden_item = proto_tree_add_boolean(imap_tree, hf_imap_isrequest, tvb, 0, 0, is_request);
  proto_item_set_hidden(hidden_item);
The Ultimate PCAP has imap packets.

Total displayed packets for imap.isrequest==1 and imap.isrequest==0 total to displayed for just imap.isrequest.

Examples of adding a string field:
packet-asterix-template.c:

proto_tree_add_string (parent, *field->part[i]->hf, tvb, offset_in_tvb, length_in_tvb, str_buffer);

packet-gsm_um.c:

proto_tree_add_string(gsm_um_tree, hf_gsm_um_direction, tvb, 0, 0, "Uplink");

file-file.c:

gchar* str = p_get_proto_name_and_key(wmem_file_scope(), pinfo, i);
proto_tree_add_string_format(fh_tree, hf_file_proto_name_and_key, tvb, 0, 0, str, "%s", str);

Chuckc gravatar imageChuckc ( 2024-01-10 02:54:10 +0000 )edit

Perfect! Thank you so much! That speeds up my implementation!

alexis gravatar imagealexis ( 2024-01-12 06:46:58 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2024-01-08 07:21:10 +0000

Guy Harris gravatar image

But I want it to filter only if the conditions are true in a single message.

Unfortunately, the Wireshark filtering engine currently has no notion of "within a single message", so there's no way to do that.

edit flag offensive delete link more

Comments

Too bad but it seems there is an alternative, thank you very much for you answer!

alexis gravatar imagealexis ( 2024-01-10 01:51:43 +0000 )edit
0

answered 2024-01-08 09:33:31 +0000

SYN-bit gravatar image

updated 2024-01-08 14:21:08 +0000

cmaynard gravatar image

I'm not sure if this will work for the way your protocol adds the multiple messages to the tree, but if it does, the layer operator might come in handy. Of course that will only work if you have a limited amount of messages per packet. You could try the following:

(body.name[1]==alex and body.family[1]==human) or (body.name[2]==alex and body.family[2]==human) or (body.name[3]==alex and body.family[3]==human) or (body.name[4]==alex and body.family[4]==human)

You might want to make a display filter macro for it like

  • macro name: NameFamily
  • macro expression: (body.name[1]==$1 and body.family[1]==$2) or (body.name[2]==$1 and body.family[2]==$2) or (body.name[3]==$1 and body.family[3]==$2) or (body.name[4]==$1 and body.family[4]==$2)

So you can then use the display filter ${NameFamily:alex;human}

edit flag offensive delete link more

Comments

Thank you very much for you answer!

A frame can contain tens of "body" items, I'd be fine with a macro if I can make it more dynamic.

alexis gravatar imagealexis ( 2024-01-10 01:51:20 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-01-07 07:58:18 +0000

Seen: 277 times

Last updated: Jan 08