You could use a Lua script to create a new field and format the data as needed.
(See example: How to change the info column in a protobuf dissector.)
-- EASYPOST.lua
-- Replace occurrences of "easypost/EASYPOST" with protocol/dissector name.
-- Grab and format fields as needed
-- Step 1 - document as you go. See header above and set_plugin_info().
local easypost_info =
{
version = "1.0.0",
author = "Good Coder",
description = "Important EASYPOST stuff",
repository = "Floppy in top drawer"
}
set_plugin_info(easypost_info)
-- Step 2 - create a protocol to attach new fields to
local easypost_p = Proto.new("easypost","Important EASYPOST Protocol")
-- Step 3 - add some field(s) to Step 2 protocol
local pf = { payload = ProtoField.string("easypost.payload", "EASYPOST data") }
easypost_p.fields = pf
-- Step 4 - create a Field extractor to copy packet field data.
-- easypost_payload_f = Field.new("frame.protocols")
easypost_payload_f = Field.new("synphasor.phasor")
-- Step 5 - create the postdissector function that will run on each frame/packet
function easypost_p.dissector(tvb,pinfo,tree)
local subtree = nil
-- copy existing field(s) into table for processing
finfo = { easypost_payload_f() }
if (#finfo > 0) then
if not subtree then
subtree = tree:add(easypost_p)
end
for k, v in pairs(finfo) do
-- process data and add results to the tree
field_display = string.gsub(v.display, "^[^,]+,[ ]+", "")
subtree:add(pf.payload, field_display)
end
end
end
-- Step 6 - register the new protocol as a postdissector
register_postdissector(easypost_p, true)
Using the sample file mentioned above. (Profile specified to get needed DLT config info.)
C:\>"c:\Program Files\Wireshark\tshark.exe" -C 250408_missing_experts -r 351S_synphasor_serial.pcap -V -Y frame.number==651 -T fields -e easypost.payload -E aggregator="|"
11.270A ∠-26.053° alt 10.125+j -4.950A; unscaled: 45, -22|4.528A ∠-26.565° alt 4.050+j -2.025A; unscaled: 18, -9|4.227A ∠-25.201° alt 3.825+j -1.800A; unscaled: 17, -8|1.677A ∠-26.565° alt 1.500+j -0.750A; unscaled: 20, -10|5.909V ∠-23.962° alt 5.400+j -2.400V; unscaled: 9, -4|7.250V ∠-24.444° alt 6.600+j -3.000V; unscaled: 11, -5|7.250V ∠-24.444° alt 6.600+j -3.000V; unscaled: 11, -5|7.250V ∠-24.444° alt 6.600+j -3.000V; unscaled: 11, -5|2.216A ∠-23.962° alt 2.025+j -0.900A; unscaled: 9, -4|0.000V ∠ 0.000° alt 0.000+j 0.000V; unscaled: 0, 0
The string.gsub() above deletes text up to the , and spaces before next non-space character.
To get the remainder (including the ;) it might be easier to read as two steps:
-- process data and add results to the tree
field_display = string.gsub(v.display, "^[^,]+,[ ]+", "")
field_display = string.gsub(field_display, ";.+$", "")
subtree:add(pf.payload, field_display)
C:\>"c:\Program Files\Wireshark\tshark.exe" -C 250408_missing_experts -r 351S_synphasor_serial.pcap -V -Y frame.number==651 -T fields -e easypost.payload -E aggregator="|"
11.270A ∠-26.053° alt 10.125+j -4.950A|4.528A ∠-26.565° alt 4.050+j -2.025A|4.227A ∠-25.201° alt 3.825+j -1.800A ...
(more)
Hello grahamb, I've tried this but it seems that my WS doesn't have this field to export "synphasor.phasor.real". Thanks
Display Filter Reference: IEEE C37.118 Synchrophasor Protocol
synphasor.phasor Phasor Character string 2.0.0 to 4.4.6https://gitlab.com/wireshark/wireshar...
pi = (phasor_info *)wmem_array_index(block->phasors, j); temp_item = proto_tree_add_string_format(phasor_tree, hf_synphasor_phasor, tvb, offset, floating_point == block->format_ph ? 8 : 4, pi->name, "Phasor #%u: \"%s\"", j + 1, pi->name);/* holds the information required to dissect a single phasor */ typedef struct { char name[MAX_NAME_LEN + 1]; unit_e unit; uint32_t conv; /* cfg-2 conversion factor in 10^-5 scale */ float conv_cfg3; /* cfg-3 conversion scale factor */ float angle_offset_cfg3; /* cfg-3 angle offset */ } phasor_info;There is a sample capture attached to 8695: Enhancement to packet-synphasor.c to use 'new_' versions of dissector registration and initialization
From frame 651:
Phasors (10), notation: rectangular, format: integer Phasor #1: "IAPM ", 11.270A ∠-26.053° alt 10.125+j -4.950A; unscaled: 45, -22 Phasor #2: "IBPM ", 4.528A ∠-26.565° alt 4.050+j -2.025A; unscaled: 18, -9 Phasor #3: "ICPM ...(more)In you example, when I use synphasor.phasor, using the "-E occurrence=a", is showing the texts IAPM, IBPM, ICPM, etc. instead I want to save 11.270A -26.053 or 10.125+j4,95.
thnks