Ask Your Question
0

How to add a custom field in Wireshark which is delta of a field in frames

asked 2018-10-12 13:09:23 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hello,

How to add a custom field in Wireshark which is delta of a field in frame. ie for frame 2 value of custom field = frame 2 fieldX value - frame 1 fieldX value.

Regards, S.Senthil

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2018-10-12 13:18:16 +0000

Jasper gravatar image

Unfortunately this isn't possible, unless the calculation between the two frame values is hard coded in the dissector (examples are DNS/HTTP response times). Custom fields are based on display filters, and display filters can only ever look at a single packet at the same time.

edit flag offensive delete link more

Comments

Hello,

Thanks for the reply. Is there any possibility to have it in dissector, is that easy to do, if so can you any sample to share, so that i use it and build for my requirement. Using Lua programming or something in wireshark where i edit the dissector itself. It is for (protocol SV and the field for which i would like to find delta is smpCnt)

Regards, S.Senthil

Senthil gravatar imageSenthil ( 2018-10-12 13:26:24 +0000 )edit

Have a look at MATE, now also described in Chapter 12 of the Wireshark User Guide; you might be able to use it to accomplish your goal.

cmaynard gravatar imagecmaynard ( 2018-10-12 17:18:31 +0000 )edit

Hello, Using MATE, We cannot find the difference in smpCnt which is usually incremented by 1 for every frame. We can extract the Pdu from smpCnt from Frame, but you dont have start or stop of Gop and you dont have any subtraction Operator for the smpCnt.

Senthil gravatar imageSenthil ( 2018-10-13 11:34:37 +0000 )edit

If MATE doesn't provide what you need (or doesn't provide everything that you need), you may need to write a Luapost-dissector instead, or you may even require a combination of both MATE and a Lua post-dissector to achieve your goal. I think it should be possible though.

cmaynard gravatar imagecmaynard ( 2018-10-14 15:59:02 +0000 )edit

MATE is out of question here.

In Lua, you have to build a "table" (array) of the delta values, indexed by frame number, and use that table to store your deltas. Each dissector is called many times as you work in Wireshark, but there is a first pass during which all the packets are dissected in sequence, and during this pass you can calculate the deltas by storing the absolute value of the field and using the stored value from the previous packet when dissecting the next one. Of course, if several unrelated streams of the same protocol can appear in the capture, you have to use another (smaller) table indexed by values of the distinctive identifier of these streams to keep the previous absolute values of the field for calculating the deltas.

sindy gravatar imagesindy ( 2018-10-15 20:04:34 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-10-12 13:09:23 +0000

Seen: 1,727 times

Last updated: Oct 12 '18