Ask Your Question

Wireshark dissector for protocol buffer

asked 2019-03-21 15:25:41 +0000

ADSI gravatar image

updated 2019-03-21 19:14:02 +0000

Guy Harris gravatar image

I am currently using Wireshark to view the traffic of a message with multiple fields (double & enum) that were defined with protocol buffer. To be able to view the value of the different fields of the message I have used the open source dissector that I found on this page:

The problem is that the value of the fields (after being decoded by the above dissector) is in Hexadecimal form. I am interested in being able to view it in decimal form.

The message code is very simple since it is just a trial. Here is the code if it is of any help!

syntax = "proto2";

// Message AData
message AData
    required double x = 1;
    required double y = ;
    required double z = 3;
    required eAType AType = 4;
    required double a = 5;
    required double b = 6;
    required double c = 7;
    required double d = 8;
    required double e = 9;
    required double f = 10;

syntax = "proto2";

enum eAType
    PA  = 0;
    BA  = 1;
    AG  = 2;
    WG  = 3;
edit retag flag offensive close merge delete



0] Please provide the packet capture in question. It will make it easier to help you. Screenshots also help if we're talking about Wireshark.

1] Depending on where you want to convert from hex to dec, you could take wireshark out of the picture. For example, let's say that you do something like tshark -r <file> -T fields -e "" and save the input as part of a script. For example, python can convert a string 16 > 10 like so: int("100",16) => 256.

2] If the dissector is parsing as hex and you want it converted to decimal, you should post a feature request as an issue to the repo (

Ross Jacobs gravatar imageRoss Jacobs ( 2019-03-21 22:10:35 +0000 )edit

Hello pocc,

Wireshark is only used to view the traffic of the message and the value of its fields. In the future when more messages are added I would like to use Wireshark to view the traffic of all of them through a network.

I have updated the question to add a screenshot of the different fields of the message and the value it displays. As you can see in the screenshot the "Value" shown under "Fixed64 Value" is in hexadecimal form; and that is where I would like to view it in decimal form.

Thank you!!

ADSI gravatar imageADSI ( 2019-03-22 09:21:59 +0000 )edit

Unfortunatelly I am not able to upload an imagine since I don't have 60 points yet :(

ADSI gravatar imageADSI ( 2019-03-22 09:37:20 +0000 )edit

0] Is there a packet capture? If you are piping to wireshark, can you save part of the stream as a pcap? I see the "message code" and what would help me much more is a file that ends in .pcap. I want to be able to replicate this problem in Wireshark to understand it and right now, I can't do that.

You don't need to upload an image/pcap. Just provide a link to a File on Dropbox/Google drive etc with sharing settings such that anyone who has the link can view the file.

1/2] You haven't addressed these points.

Ross Jacobs gravatar imageRoss Jacobs ( 2019-03-22 13:33:02 +0000 )edit


Unfortunatelly I am not able to facilitate you with a packet capture for security reasons. I am sorry.

Regarding point 1 I am not sure I completely understand your point. But I am interested in keep on using wireshark to view the traffic of messages and its different fields with the value obtained.

Regarding point 2, I have already done that but I have gotten no answer yet!

I am sorry I cannot be of any more help. I would be glab to explain again my situation if there is any part of it that was not made complety clear.

Thank you!

ADSI gravatar imageADSI ( 2019-03-25 15:39:56 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-03-14 11:54:26 +0000

Skison gravatar image

New features about Protobuf and gRPC dissectors have been added into Wireshark since version 3.2.0:

  • Protobuf files (*.proto) can now be configured to enable more precise parsing of serialized Protobuf data (such as gRPC).
  • The message of stream gRPC method can now be parsed with supporting of HTTP2 streaming mode reassembly feature.
  • User can specify protobuf search paths (where has *.proto files), and the UDP ports to protobuf message type maps at the Protobuf protocol preferences.
  • If your own dissectors need invoke protobuf dissector, you can pass the message type to Protobuf dissector by data parameter (in C) or pinfo->private_table["pb_msg_type"] (pinfo.private["pb_msg_type"] in lua).

Another two new features will be released in 3.3.0 or 3.4.0:

  • Protobuf fields can be dissected as wireshark (header) fields that allows user input the full names of Protobuf fields or messages in Filter toolbar for searching.
  • Dissector based on Protobuf can register itself to a new 'protobuf_field' dissector table, which is keyed with the full names of fields, for further parsing fields of BYETS or STRING type.


edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-03-21 15:25:41 +0000

Seen: 1,813 times

Last updated: Mar 14 '20