Searching for strings registered with VAL() macro using display filter for custom Wireshark dissector?

asked 2024-10-14 00:20:04 +0000

addy_wireshark2024 gravatar image

updated 2024-10-14 22:19:25 +0000

Hello! I have developed a dissector for a proprietary protocol and one of the most useful features I would like to provide internal users with is the ability to search commands within the system using the associated string (for example: "PROPRIETARY_OPEN_DOOR", "PROPRIETARY_CLOSE_DOOR", etc.).

These commands exist as macros in the codebase (#define PROPRIETARY_OPEN_DOOR 0x12345678). For basic dissection and display, I created a Python script that used regex searching and file I/O to create a value_string table (called proprietarycmdnames) for Wireshark with the associated string for each command and its value. I then registered the header field as such: { &hf_proprietary_command, { "Command", "proprietary.command", FT_STRINGZ, VALS(proprietarycmdnames), NULL, 0x0, NULL, HFILL }}

Now, on protocol header fields using hex or decimal values, the display filters work perfectly fine (proprietary.length==90). But for these string based fields, Wireshark is simply unable to pick up the command name strings that I type (proprietary.command=="PROPRIETARY_OPEN_DOOR"). I am definitely lacking some fundamental understanding of the underlying data structures, and the README for display filters was a bit too heavy. Am I approaching this wrong?

Also, an extremely strange bug occurs for SPECIFIC fields only (no discernible pattern) where using a filter for that field causes Wireshark to crash.

I started developing this dissector for Wireshark 4.3.0 and am currently on 4.5.0. The crashes occurred for all fields on 4.3.0 and has reduced significantly for 4.5.0. I'm willing to step through the code with a debugger and investigate further if I could get some tips on where to start looking. But regardless, what's the solution to the string search? Thanks!

EDIT: I meant { &hf_proprietary_command, { "Command", "proprietary.command", FT_STRINGZ, BASE_NONE, NULL, 0x0, "Command", HFILL }}. And then I use val_to_str(command_value, proprietarycmdnames, "0x%06x") to get the string displayed using the hex value of the command from my value_string table.

edit retag flag offensive close merge delete

Comments

First up: that field definition is incorrect: there's BASE_NONE missing after FT_STRINGZ

Second: VALS are only applicable to integer fields (FT_UINT*), not for string types.

Read carefully in doc/README.dissector

Jaap gravatar imageJaap ( 2024-10-14 06:16:24 +0000 )edit

Similar to 18704: Display Filter dns.qry.type with types rather than values ?

Chuckc gravatar imageChuckc ( 2024-10-14 11:09:46 +0000 )edit

I am incredibly sorry. I used the wrong example. Here is what I meant: { &hf_proprietary_command, { "Command", "proprietary.command", FT_STRINGZ, BASE_NONE, NULL, 0x0, "Command", HFILL }}

And then I use val_to_str(command_value, proprietarycmdnames, "0x%06x") to get the string displayed using the hex value of the command from my value_string table.

addy_wireshark2024 gravatar imageaddy_wireshark2024 ( 2024-10-14 22:18:17 +0000 )edit
add a comment