Hello. I am in the middle of writing dissector for a custom protocol encapsulating ethernet/ipv4. The protocol has two headers. The first header is 5 bytes in length while the second header is 1 byte in length. However, those bytes are not evenly divided.
For example, let's call the first header Foo, to be consistent with the Developer's Guide. Foo has many fields of varying sizes - 1,2,6,8, and 10 bit fields.
From reading README.developer, I can guess that for the 1 bit fields I can use things like gboolean for 1 bit and guint8 for 8 bit fields. I've been given a template that uses an FT_ prefix instead of the g prefix - for example, it uses FT_Boolean and FT_UINT8 instead for the previous types.
I am trying to follow the example given in section 9.2 of the Wireshark Developer's Guide - specifically, I'm currently looking at the section containing the following code for dissecting specific fields:
static hf_register_info hf[] = {
{ &hf_foo_pdu_type,
{ "FOO PDU Type", "foo.type",
FT_UINT8, BASE_DEC,
NULL, 0x0,
NULL, HFILL }
}
};
One example field in my custom protocol is a 2-bit sequence flag field. In my code, this looks like:
/* defined earlier in the actual file, included here for reference */
static const value_string foo_sequence_flags[] = {
{... /*omitted for concision as at this point, I cannot handle segmented data*/},
{3, "Unsegmented data" },
{0, NULL }
};
/* also defined earlier, included for reference.*/
static int hf_foo_seq_flags = -1
/*inside the proto_register_foo function*/
static hf_register_info hf[] = {
{ &hf_foo_seq_flags,
{ "Sequence Flags", "foo.seq_flags",
<unknown type here>, BASE_DEC,
VALS(foo_sequence_flags), 0x0,
NULL, HFILL }
}
};
I have three questions.
1: What is the correct type to use here for dissecting this quantity? It's a two bit field, so boolean is too small and guint8 and/or FT_UINT8 are too large. I don't know what type to use there, which is where the label for this particular question comes from.
2: What is the difference between FT_ and g versions of a type, if any? For example, what is the difference between "gboolean" and "FT_BOOLEAN" as a type? I don't see FT mentioned at all in README.developer.
3: What are the last fields in this particular code structure actually used for? I will talk through each field to show what I mean by this question. From the developer's guide/my understanding so far:
&hf_tc_version in this case is the node's index. Earlier in the file, when defining the fields for Foo, I included a line that is as follows: static int hf_foo_version_number = -1
so, following the example, I referred back to the definition with my code.
"Version" is the item's label, while "tc.version" is the short name that will be displayed in filter options. I'm skipping the type since that's what Questions 1 and 2 are about.
BASE_DEC is how this value should be printed in Wireshark.
The next four options are VALS(), ???, NULL, and HFILL. VALS() is allowing me to pass in the array that has a mapping from values read to semantic meanings for wireshark to display. ??? seems to be...a mask? a size? a predefined value? It seems to be different things in different places in the code, so I'm lost there. I have no idea what NULL is for. I also have no idea what HFILL is for.