Ask Your Question
0

How can I get the field's value when adding it to the protocol tree?

asked 2024-02-02 08:47:06 +0000

alexis gravatar image

updated 2024-02-05 03:45:03 +0000

Sorry if my question isn't clear, I'm a bit lost in wireshark's code and all the dissector's examples.

My proto_register looks like this:

void
proto_register_mycustom(void) {

  static hf_register_info hf[] = {
    { &hf[F_NTM],
      { "ntm", "ntm",
      FT_UINT16, BASE_DEC,
      NULL, 0x0, NULL, HFILL }},

I add an item like this:

proto_tree_add_item(tree_body, hf[field], tvb, offset + format.offset + offsetMsg, format.len, ENC_LITTLE_ENDIAN);

Is there a way to get the value in the type (FT_STRING or another one) of hf[field] without accessing it with offset and tvb?

I find this to be redundant:

tvb_get_gint32(tvb, offset + format.offset + offsetMsg, ENC_LITTLE_ENDIAN)

Regards,

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-02-02 12:03:53 +0000

johnthacker gravatar image

Yes. If you want to add an item and retrieve the value of the item simultaneously, there are functions like proto_tree_add_item_ret_[type](). Those take a pointer to where information will be place. For strings, strings are allocated in dynamic memory and it also takes a scope. The format for strings is like:

char* mystring proto_tree_add_item_ret_string(tree, hfid, tvb, start, length, ENC_UTF_8, pinfo->pool, &mystring);

which creates a string that is automatically freed when the packet is done dissecting. For 32 bit unsigned integers it is:

guint32 mynumber proto_tree_add_item_ret_uint(tree, hfid, tvb, start, length, ENC_LITTLE_ENDIAN, &mynumber);

For integers smaller than 32 bits, a 32 bit variable must be declared and used to store it anyway so that pointer alignment is correct. (This is fine in C anyway because of the integer promotion rules.)

I assume that you were mixing two examples, but note that you do not want to use ENC_LITTLE_ENDIAN by itself with a FT_STRING, as that is not an encoding that sufficiently describes how to decode a string. There are a few cases where ENC_LITTLE_ENDIAN can be used in concert with multibyte encodings, like ENC_UTF_16|ENC_LITTLE_ENDIAN, but most of the time you want a string encoding that doesn't require endianness.

edit flag offensive delete link more

Comments

The problem is that I access it in a "generic" way. When I call proto_tree_add_item, I don't know the type. I guess I have to filter it. You're right, I fix my question with FT_UINT16. Thanks! It was very useful!

alexis gravatar imagealexis ( 2024-02-05 03:47:05 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-02-02 08:47:06 +0000

Seen: 226 times

Last updated: Feb 05