First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is it possible to put two different packages together within one line/tree on the main display?

Hello,

I wrote a dissector in C language that works well. Now, I would like to use a post-dissector to regroup the lines that are displayed in the main Wireshark display, because there are multiple forwardings of the same packet.

I don't want to assemble a packet that was disassembled during transmission, I want to show several "equal" packets on the same line of the main display (I would like to build a tree on this line so you can see how many of the same packets were received) in order to reduce the visual pollution caused by dissecting the packets that are forwarded.

I read that post-dissectors are mainly used to record conversations, but they do not manipulate the lines of conversation they work on.

Is it possible to implement this idea of regrouping lines in the main display after passing through the dissector?

Thanks in advance,

Anderson

SANTOS's avatar
3
SANTOS
asked 2021-07-26 10:16:11 +0000
edit flag offensive 0 remove flag close merge delete

Comments

You question isn't very clear to me, are you referring to the packet list or packet details panes?

grahamb's avatar grahamb (2021-07-26 10:31:56 +0000) edit
more
  • delete

I am referring to the main display, where each line that is displayed represents a received packet, where we can read the information from each column (number, time, information, etc). I would like to join one or more lines, into a single line so that this line opens a tree and shows the lines contained in it.

SANTOS's avatar SANTOS (2021-07-26 11:21:12 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Unfortunately no, the current Wireshark implementation is limited to displaying a single packet (from the underlying capture file) per packet list display line.

The data in the columns can be modified by dissectors as a result of multiple packets, the classic case is tcp reassembly, but the packets that make up the fragments are still displayed.

grahamb's avatar
23.8k
grahamb
answered 2021-07-26 11:32:05 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer