Ask Your Question

Revision history [back]

Type for Dissecting n-bit Quantities

Hello. I am in the middle of writing dissector for a custom protocol encapsulating ethernet/ipv4. The protocol has two headers. The first header is 5 bytes in length while the second header is 1 byte in length. However, those bytes are not evenly divided.

For example, let's call the first header Foo, to be consistent with the Developer's Guide. Foo has many fields of varying sizes - 1,2,6,8, and 10 bit fields.

From reading README.developer, I can guess that for the 1 bit fields I can use things like gboolean for 1 bit and guint8 for 8 bit fields. I've been given a template that uses an FT_ prefix instead of the g prefix - for example, it uses FT_Boolean and FT_UINT8 instead for the previous types.

I am trying to follow the example given in section 9.2 of the Wireshark Developer's Guide - specifically, I'm currently looking at the section containing the following code for dissecting specific fields:

 static hf_register_info hf[] = {
    { &hf_foo_pdu_type,
        { "FOO PDU Type", "foo.type",
        FT_UINT8, BASE_DEC,
        NULL, 0x0,
        NULL, HFILL }
    }
};

One example field in my custom protocol is a 2-bit sequence flag field. In my code, this looks like:

    /* defined earlier in the actual file, included here for reference */
    static const value_string foo_sequence_flags[] = {
        {... /*omitted for concision as at this point, I cannot handle segmented data*/},
        {3, "Unsegmented data" },
        {0, NULL }
    };

    /* also defined earlier, included for reference.*/
    static int hf_foo_seq_flags = -1

    /*inside the proto_register_foo function*/
        static hf_register_info hf[] = {
            { &hf_foo_seq_flags,
                { "Sequence Flags",         "foo.seq_flags",
                <unknown type here>, BASE_DEC,
                VALS(foo_sequence_flags), 0x0,
                NULL, HFILL }
            }
        };

I have three questions.

1: What is the correct type to use here for dissecting this quantity? It's a two bit field, so boolean is too small and guint8 and/or FT_UINT8 are too large. I don't know what type to use there, which is where the label for this particular question comes from.

2: What is the difference between FT_ and g versions of a type, if any? For example, what is the difference between "gboolean" and "FT_BOOLEAN" as a type? I don't see FT mentioned at all in README.developer.

3: What are the last fields in this particular code structure actually used for? I will talk through each field to show what I mean by this question. From the developer's guide/my understanding so far:

&hf_tc_version in this case is the node's index. Earlier in the file, when defining the fields for Foo, I included a line that is as follows: static int hf_foo_version_number = -1 so, following the example, I referred back to the definition with my code.

"Version" is the item's label, while "tc.version" is the short name that will be displayed in filter options. I'm skipping the type since that's what Questions 1 and 2 are about.

BASE_DEC is how this value should be printed in Wireshark.

The next four options are VALS(), ???, NULL, and HFILL. VALS() is allowing me to pass in the array that has a mapping from values read to semantic meanings for wireshark to display. ??? seems to be...a mask? a size? a predefined value? It seems to be different things in different places in the code, so I'm lost there. I have no idea what NULL is for. I also have no idea what HFILL is for.

Type for Dissecting n-bit Quantities

Hello. I am in the middle of writing dissector for a custom protocol encapsulating ethernet/ipv4. The protocol has two headers. The first header is 5 bytes in length while the second header is 1 byte in length. However, those bytes are not evenly divided.

For example, let's call the first header Foo, to be consistent with the Developer's Guide. Foo has many fields of varying sizes - 1,2,6,8, and 10 bit fields.

From reading README.developer, I can guess that for the 1 bit fields I can use things like gboolean for 1 bit and guint8 for 8 bit fields. I've been given a template that uses an FT_ prefix instead of the g prefix - for example, it uses FT_Boolean and FT_UINT8 instead for the previous types.

I am trying to follow the example given in section 9.2 of the Wireshark Developer's Guide - specifically, I'm currently looking at the section containing the following code for dissecting specific fields:

 static hf_register_info hf[] = {
    { &hf_foo_pdu_type,
        { "FOO PDU Type", "foo.type",
        FT_UINT8, BASE_DEC,
        NULL, 0x0,
        NULL, HFILL }
    }
};

One example field in my custom protocol is a 2-bit sequence flag field. In my code, this looks like:

    /* defined earlier in the actual file, included here for reference */
    static const value_string foo_sequence_flags[] = {
        {... /*omitted for concision as at this point, I cannot handle segmented data*/},
        {3, "Unsegmented data" },
        {0, NULL }
    };

    /* also defined earlier, included for reference.*/
    static int hf_foo_seq_flags = -1

    /*inside the proto_register_foo function*/
        static hf_register_info hf[] = {
            { &hf_foo_seq_flags,
                { "Sequence Flags",         "foo.seq_flags",
                <unknown type here>, BASE_DEC,
                VALS(foo_sequence_flags), 0x0,
                NULL, HFILL }
            }
        };

I have three questions.

1: What is the correct type to use here for dissecting this quantity? It's a two bit field, so boolean is too small and guint8 and/or FT_UINT8 are too large. I don't know what type to use there, which is where the label for this particular question comes from.

2: What is the difference between FT_ and g versions of a type, if any? For example, what is the difference between "gboolean" and "FT_BOOLEAN" as a type? I don't see FT mentioned at all in README.developer.

3: What are the last fields in this particular code structure actually used for? I will talk through each field to show what I mean by this question. From the developer's guide/my understanding so far:

&hf_tc_version in this case is the node's index. Earlier in the file, when defining the fields for Foo, I included a line that is as follows: static int hf_foo_version_number = -1 so, following the example, I referred back to the definition with my code.

"Version" "Sequence Flags" is the item's label, while "tc.version" "foo.seq_flags" is the short name that will be displayed in filter options. I'm skipping the type since that's what Questions 1 and 2 are about.

BASE_DEC is how this value should be printed in Wireshark.

The next four options are VALS(), ???, NULL, and HFILL. VALS() is allowing me to pass in the array that has a mapping from values read to semantic meanings for wireshark to display. ??? seems to be...a mask? a size? a predefined value? It seems to be different things in different places in the code, so I'm lost there. I have no idea what NULL is for. I also have no idea what HFILL is for. for.

Type for Dissecting n-bit Quantities

Hello. I am in the middle of writing dissector for a custom protocol encapsulating ethernet/ipv4. The protocol has two headers. The first header is 5 bytes in length while the second header is 1 byte in length. However, those bytes are not evenly divided.

For example, let's call the first header Foo, to be consistent with the Developer's Guide. Foo has many fields of varying sizes - 1,2,6,8, and 10 bit fields.

From reading README.developer, I can guess that for the 1 bit fields I can use things like gboolean for 1 bit and guint8 for 8 bit fields. I've been given a template that uses an FT_ prefix instead of the g prefix - for example, it uses FT_Boolean and FT_UINT8 instead for the previous types.

I am trying to follow the example given in section 9.2 of the Wireshark Developer's Guide - specifically, I'm currently looking at the section containing the following code for dissecting specific fields:

 static hf_register_info hf[] = {
    { &hf_foo_pdu_type,
        { "FOO PDU Type", "foo.type",
        FT_UINT8, BASE_DEC,
        NULL, 0x0,
        NULL, HFILL }
    }
};

One example field in my custom protocol is a 2-bit sequence flag field. In my code, this looks like:

    /* defined earlier in the actual file, included here for reference */
    static const value_string foo_sequence_flags[] = {
        {... /*omitted for concision as at this point, I cannot handle segmented data*/},
        {3, "Unsegmented data" },
        {0, NULL }
    };

    /* also defined earlier, included for reference.*/
    static int hf_foo_seq_flags = -1

    /*inside the proto_register_foo function*/
        static hf_register_info hf[] = {
            { &hf_foo_seq_flags,
                { "Sequence Flags",         "foo.seq_flags",
                <unknown type here>, BASE_DEC,
                VALS(foo_sequence_flags), 0x0,
0b11,
                NULL, HFILL }
            }
        };

I have three questions.

1: What is the correct type to use here for dissecting this quantity? It's a two bit field, so boolean is too small and guint8 and/or FT_UINT8 are too large. I don't know what type to use there, which is where the label for this particular question comes from.

2: What is the difference between FT_ and g versions of a type, if any? For example, what is the difference between "gboolean" and "FT_BOOLEAN" as a type? I don't see FT mentioned at all in README.developer.

3: What are the last fields in this particular code structure actually used for? I will talk through each field to show what I mean by this question. From the developer's guide/my understanding so far:

&hf_tc_version &hf_foo_seq_flags in this case is the node's index. Earlier in the file, when defining the fields for Foo, I included a line defined that is as follows: static int hf_foo_version_number hf_foo_seq_flags = -1 so, following the example, I referred back to the definition with my code.

"Sequence Flags" is the item's label, while "foo.seq_flags" is the short name that will be displayed in filter options. I'm skipping the type since that's what Questions 1 and 2 are about.

BASE_DEC is how this value should be printed in Wireshark.

The next four options are VALS(), ???, NULL, and HFILL. VALS() is allowing me to pass in the array that has a mapping from values read to semantic meanings for wireshark to display. ??? seems to be...a mask? a size? a predefined value? It seems to be different things in different places in the code, so I'm lost there. I have no idea what NULL is for. I also have no idea what HFILL is for.

Type for Dissecting n-bit Quantities

Hello. I am in the middle of writing dissector for a custom protocol encapsulating ethernet/ipv4. The protocol has two headers. The first header is 5 bytes in length while the second header is 1 byte in length. However, those bytes are not evenly divided.

For example, let's call the first header Foo, to be consistent with the Developer's Guide. Foo has many fields of varying sizes - 1,2,6,8, and 10 bit fields.

From reading README.developer, I can guess that for the 1 bit fields I can use things like gboolean for 1 bit and guint8 for 8 bit fields. I've been given a template that uses an FT_ prefix instead of the g prefix - for example, it uses FT_Boolean and FT_UINT8 instead for the previous types.

I am trying to follow the example given in section 9.2 of the Wireshark Developer's Guide - specifically, I'm currently looking at the section containing the following code for dissecting specific fields:

 static hf_register_info hf[] = {
    { &hf_foo_pdu_type,
        { "FOO PDU Type", "foo.type",
        FT_UINT8, BASE_DEC,
        NULL, 0x0,
        NULL, HFILL }
    }
};

One example field in my custom protocol is a 2-bit sequence flag field. In my code, this looks like:

    /* defined earlier in the actual file, included here for reference */
    static const value_string foo_sequence_flags[] = {
        {... /*omitted for concision as at this point, I cannot handle segmented data*/},
        {3, "Unsegmented data" },
        {0, NULL }
    };

    /* also defined earlier, included for reference.*/
    static int hf_foo_seq_flags = -1

    /*inside the proto_register_foo function*/
        static hf_register_info hf[] = {
            { &hf_foo_seq_flags,
                { "Sequence Flags",         "foo.seq_flags",
                <unknown type here>, BASE_DEC,
                VALS(foo_sequence_flags), 0b11,
                NULL, HFILL }
            }
        };

I have three questions.

1: What is the correct type to use here for dissecting this quantity? It's a two bit field, so boolean is too small and guint8 and/or FT_UINT8 are too large. I don't know what type to use there, which is where the label for this particular question comes from.

2: What is the difference between FT_ and g versions of a type, if any? For example, what is the difference between "gboolean" and "FT_BOOLEAN" as a type? I don't see FT mentioned at all in README.developer.

3: What are the last three fields in this particular code structure actually used for? I will talk through each field to show what I mean by this question. From the developer's guide/my understanding so far:

&hf_foo_seq_flags in this case is the node's index. Earlier in the file, when defining the fields for Foo, I defined that as static int hf_foo_seq_flags = -1 so, following the example, I referred back to the definition with my code.

"Sequence Flags" is the item's label, while "foo.seq_flags" is the short name that will be displayed in filter options. I'm skipping the type since that's what Questions 1 and 2 are about.

BASE_DEC is how this value should be printed in Wireshark.

The next four options are VALS(), ???, NULL, and HFILL. VALS() is allowing me to pass in the array that has a mapping from values read to semantic meanings for wireshark to display. ??? seems to be...a mask? a size? a predefined value? It seems to be different things in different places in the code, so I'm lost there. I have no idea what NULL is for. I also have no idea what HFILL is for.

Type for Dissecting n-bit Quantities

EDIT: Is it possible to just parse a large portion of a header to fit into a standard size, and then just mask from there? For example, for a 40 bit header, I could break that into two 'segments', one of 32 bit size, one of 8 bit size. If I then use a pointer to the same reference point, can I then use different masks to parse out different pieces of that 32 bit size to recover the original field?

To be more concrete, let me walk through an example of what I mean.

Assume I have a 40 bit header, foo, with the following fields:

bit<2> version
bit<1> bypass
bit<1> command_flag
.... (skipping until the end of 32 bits for concision)
bit<8> sequuence_number

Assume that the fields have been defined in similar order in the dissector:

  static int hf_foo_version = -1;
  static int hf_foo_bypass = -1;
  static int hf_foo_cmd_flag = -1;
  ...
  static int foo_sequence_number = -1;

Can I do something like the following?

/*inside the proto_register_foo function*/
            static hf_register_info hf[] = {
                { &hf_foo_version,
                    { "Version",         "foo.version",
                    FT_UINT32, BASE_DEC,
                    NULL, 0x03,
                    NULL, HFILL }
                }
            };
            static hf_register_info hf[] = {
                { &hf_foo_version,
                    { "Bypass",         "foo.bypass",
                    FT_UINT32, BASE_DEC,
                    NULL, 0x07,
                    NULL, HFILL }
                }
            };

and so on, to parse each field out of the 32 bit selection, offset from the same pointer?

Original question below for more background - if you can answer the rephrasing of the question in this edit, though, then I can potentially remove the original question and use this rephrasing.

================================================================================

Hello. I am in the middle of writing dissector for a custom protocol encapsulating ethernet/ipv4. The protocol has two headers. The first header is 5 bytes in length while the second header is 1 byte in length. However, those bytes are not evenly divided.

For example, let's call the first header Foo, to be consistent with the Developer's Guide. Foo has many fields of varying sizes - 1,2,6,8, and 10 bit fields.

From reading README.developer, I can guess that for the 1 bit fields I can use things like gboolean for 1 bit and guint8 for 8 bit fields. I've been given a template that uses an FT_ prefix instead of the g prefix - for example, it uses FT_Boolean and FT_UINT8 instead for the previous types.

I am trying to follow the example given in section 9.2 of the Wireshark Developer's Guide - specifically, I'm currently looking at the section containing the following code for dissecting specific fields:

 static hf_register_info hf[] = {
    { &hf_foo_pdu_type,
        { "FOO PDU Type", "foo.type",
        FT_UINT8, BASE_DEC,
        NULL, 0x0,
        NULL, HFILL }
    }
};

One example field in my custom protocol is a 2-bit sequence flag field. In my code, this looks like:

    /* defined earlier in the actual file, included here for reference */
    static const value_string foo_sequence_flags[] = {
        {... /*omitted for concision as at this point, I cannot handle segmented data*/},
        {3, "Unsegmented data" },
        {0, NULL }
    };

    /* also defined earlier, included for reference.*/
    static int hf_foo_seq_flags = -1

    /*inside the proto_register_foo function*/
        static hf_register_info hf[] = {
            { &hf_foo_seq_flags,
                { "Sequence Flags",         "foo.seq_flags",
                <unknown type here>, BASE_DEC,
                VALS(foo_sequence_flags), 0b11,
                NULL, HFILL }
            }
        };

I have three questions.

1: What is the correct type to use here for dissecting this quantity? It's a two bit field, so boolean is too small and guint8 and/or FT_UINT8 are too large. I don't know what type to use there, which is where the label for this particular question comes from.

2: What is the difference between FT_ and g versions of a type, if any? For example, what is the difference between "gboolean" and "FT_BOOLEAN" as a type? I don't see FT mentioned at all in README.developer.

3: What are the last three fields in this particular code structure actually used for? I will talk through each field to show what I mean by this question. From the developer's guide/my understanding so far:

&hf_foo_seq_flags in this case is the node's index. Earlier in the file, when defining the fields for Foo, I defined that as static int hf_foo_seq_flags = -1 so, following the example, I referred back to the definition with my code.

"Sequence Flags" is the item's label, while "foo.seq_flags" is the short name that will be displayed in filter options. I'm skipping the type since that's what Questions 1 and 2 are about.

BASE_DEC is how this value should be printed in Wireshark.

The next four options are VALS(), ???, NULL, and HFILL. VALS() is allowing me to pass in the array that has a mapping from values read to semantic meanings for wireshark to display. ??? seems to be...a mask? a size? a predefined value? It seems to be different things in different places in the code, so I'm lost there. I have no idea what NULL is for. I also have no idea what HFILL is for.