First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Dissector Header Labels

Hello. I have written a dissector for a subset of a protocol called TC that has two subfields. Let's call this implementation "TC_Subset" and the two fields the Primary and Segment fields. I would like the wireshark display for the dissection to look like the below, where > and V indicate collapsed and expanded trees, respectively;

> Frame 1
V TC_Subset
  > Primary Header
  > Segment Header

Unfortunately, it currently looks like this:

>Frame 1
V TC_Subset
   > TC_Subset
   > TC_Subset

I think I know why, but I don't know how to fix it. I'll start by showing the relevant areas of code and point out where I think the issue is. I believe it's from a combination of things in the dissect_ and register_ methods.

"dissect_tc" excerpt

static int
dissect_tc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
    //OFFSET IS IN OCTETS
    int          offset          = 0;
    proto_item  *tc_packet;
    proto_tree  *tc_tree      = NULL;
    proto_item  *primary_header  = NULL;
    proto_tree  *primary_header_tree;
    proto_item  *segment_header = NULL;
    proto_tree  *segment_header_tree;
    ...additional set up and definitions of things like length, etc...

    /* Set up the base tree */
    tc_packet = proto_tree_add_item(tree, proto_tc_subset, tvb, 0, length, ENC_BIG_ENDIAN);
    tc_tree   = proto_item_add_subtree(tc_packet, ett_tc);

    /* build primary header tree */
    primary_header = proto_tree_add_item(tc_tree, proto_tc_subset, tvb, offset, TC_PRIMARY_HEADER_LENGTH, ENC_NA);
    primary_header_tree = proto_item_add_subtree(primary_header, ett_tc_primary_header);
    ...program tree accordingly...

    /* build segment header tree */ 
    segment_header=proto_tree_add_item(tc_tree, proto_tc_subset, tvb, offset, TC_SEGMENT_HEADER_LENGTH, ENC_NA);
    segment_header_tree=proto_item_add_subtree(segment_header, ett_tc_segment_header);
    ...rest of method, not related to the problem...

Next, let's look at a small section of register_tc.

"register_tc" excerpt

void
proto_register_tc(void)
{
    static hf_register_info hf[] = ...define all fields for both headers in this one array...

    /* Setup protocol subtree array */
    static gint *ett[] = {
        &ett_tc,
        &ett_tc_primary_header,
        &ett_tc_segment_header
    };

    ...

    /* Register the protocol name and description */
    proto_tc_subset = proto_register_protocol("TC_Subset", "TC_Subset", "tc_subset");

    /* Required function calls to register the header fields and subtrees used */
    proto_register_field_array(proto_tc_subset, hf, array_length(hf));
    proto_register_subtree_array(ett, array_length(ett));

Note that in the definition of the primary header and segment header variable, I'm passing in "proto_tc_subset" both times. That's where the label is coming from. I think I need to pass in something else there in order to get the label to be what I'd like to see instead of just repeating "TC_Subset", but I'm not sure how to define such a thing.

dmanderson's avatar
7
dmanderson
asked 2020-08-12 16:53:51 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

1

These calls primary_header = proto_tree_add_item(tc_tree, proto_tc_subset, tvb, offset, TC_PRIMARY_HEADER_LENGTH, ENC_NA); need to have proto_tc_subset replaced.

See the packet-PROTOABBREV.c file in the doc folder of the sources. There hf_PROTOABBREV_FIELDABBREV is used.

Jaap's avatar
13.7k
Jaap
answered 2020-08-12 17:38:41 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Will look at this again, thanks. Will update once I've had some time to go over the file.

dmanderson's avatar dmanderson (2020-08-12 19:27:45 +0000) edit
more
  • delete

@Jaap

So based on that file I've tried several options, but nothing seems to be exactly what I'm looking for, though some come close.

Following the protoabbrev example, the fields that are given are FT_FIELDTYPE, FIELDDISPLAY, FIELDCONFVERT, BITMASK, "FIELDDESCR", and HFILL.

Let FT_FIELDTYPE = X and FIELDDISPLAY = Y. I left FIELDCONVERT as NULL, BITMASK is 0x0, FIELDDESCR is NULL, and HFILL is still HFILL.

For various values of X and Y, I either get something very close to what I wanted, or a crash whenever I try to boot wireshark. The closest so far has been:

X = FT_STRING,
Y = BASE_ASCII

This almost gets me the labels I want, but they come out as labels with values:

Primary Header: 0\b

Segment Header: <unknown character>

I thought that something like 

X = FT_CHAR,
Y = BASE_NONE

might be it, but that causes wireshark to fail to load due to throwing an exception ... (more)

dmanderson's avatar dmanderson (2020-08-14 15:37:26 +0000) edit
more
  • delete

Figured it out.

dmanderson's avatar dmanderson (2020-08-17 21:02:00 +0000) edit
more
  • delete
add a comment see more comments
0

Figured it out by looking at PROTOABBREV.c again and trying several combinations.

You'll want to add a declaration to the static hf_register_info hf[] array that contains the following fields, with the fields containing "example" replaced. 

{&example_handle_name,
   { "Example Header Name",   "protocol.example_header_name",
     FT_NONE, BASE_NONE, NULL, 0x0, "Example Name or Description", HFILL}
},

So for the requested example, it would look something like this:

{&hf_tc_ph_name,
   {"Primary Header", "tc.primary_name",
    FT_NONE, BASE_NONE, NULL, 0x0,
    "Primary Header", HFILL }
},

and similarly define one for segment header.

Then replace the proto_tc_subset with the name you set for these specific fields.

dmanderson's avatar
7
dmanderson
answered 2020-08-17 21:01:36 +0000, updated 2020-08-18 16:51:07 +0000
edit flag offensive 0 remove flag delete link
more

Comments

You should probably use FT_NONE for those fields; FT_PROTOCOL is only intended for protocols, such as TC_SUBSET.

Guy Harris's avatar Guy Harris (2020-08-18 00:58:35 +0000) edit
more
  • delete

Thanks! Updated answer to reflect that.

dmanderson's avatar dmanderson (2020-08-18 16:50:30 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer