How to add a custom field in Wireshark which is delta of a field in frames

asked 2018-10-12

How to add a custom field in Wireshark which is delta of a field in frame. ie for frame 2 value of custom field = frame 2 fieldX value - frame 1 fieldX value.

Regards, S.Senthil

answered 2018-10-12

Jasper gravatar image

Unfortunately this isn't possible, unless the calculation between the two frame values is hard coded in the dissector (examples are DNS/HTTP response times). Custom fields are based on display filters, and display filters can only ever look at a single packet at the same time.

Thanks for the reply. Is there any possibility to have it in dissector, is that easy to do, if so can you any sample to share, so that i use it and build for my requirement. Using Lua programming or something in wireshark where i edit the dissector itself. It is for (protocol SV and the field for which i would like to find delta is smpCnt)

Regards, S.Senthil

Senthil ( 2018-10-12 13:26:24 +0000 )

Have a look at MATE, now also described in Chapter 12 of the Wireshark User Guide; you might be able to use it to accomplish your goal.

cmaynard ( 2018-10-12 17:18:31 +0000 )

Hello, Using MATE, We cannot find the difference in smpCnt which is usually incremented by 1 for every frame. We can extract the Pdu from smpCnt from Frame, but you dont have start or stop of Gop and you dont have any subtraction Operator for the smpCnt.

Senthil ( 2018-10-13 11:34:37 +0000 )

If MATE doesn't provide what you need (or doesn't provide everything that you need), you may need to write a Luapost-dissector instead, or you may even require a combination of both MATE and a Lua post-dissector to achieve your goal. I think it should be possible though.

cmaynard ( 2018-10-14 15:59:02 +0000 )

MATE is out of question here.

In Lua, you have to build a "table" (array) of the delta values, indexed by frame number, and use that table to store your deltas. Each dissector is called many times as you work in Wireshark, but there is a first pass during which all the packets are dissected in sequence, and during this pass you can calculate the deltas by storing the absolute value of the field and using the stored value from the previous packet when dissecting the next one. Of course, if several unrelated streams of the same protocol can appear in the capture, you have to use another (smaller) table indexed by values of the distinctive identifier of these streams to keep the previous absolute values of the field for calculating the deltas.

sindy ( 2018-10-15 20:04:34 +0000 )

