Can wireshark display custom options from enhance packet block.

retag add tags

Hi,

I have a use case where custom options will be added to each EPB in a pcapng file.

Wireshark version 4.0.1 will display a comment option add to the block i.e. code = 1, but nothing is displayed when I use any of the custom option codes 2988/2989/19372/19373.

I am new to dissectors but could not find any way to add logic (via dissector or other) to allow the custom options to be parsed and displayed.

Maybe I have missed something obvious here.

Does wireshark support displaying custom options in a EPB out of the box?

If not, is there a plugin I can write to allow my custom option to be displayed, and more importantly, part of a filter, like the comment option can be.

Thanks in advance.

Dave.

daved

asked 2022-11-08 20:12:53 +0000

edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

Support for custom options is pretty recent (3431: pcapng: add support for custom options) and not very robust.

Seems you have a pretty clear idea of what your use would be so it's worth opening an enhancement request on the Wireshark Gitlab issues page.

Notes: There are sample captures here - pcapng-test-generator - that include custom blocks and custom options. The custom blocks are integrated into the Wireshark Packet List.
Note: the custom options are not formatted properly (don't include PEN).

pcapng-test-generator/output_be/difficult/test202.pcapng has custom blocks: image description

pcapng-test-generator/output_be/basic/test009.pcapng has a EPB with custom options.
View->Reload as File Format/Capture:

Block: Enhanced Packet Block 1
    Block Type: Enhanced Packet Block (0x00000006)
    Block Length: 500
    Block Data
        Interface: 0
        Timestamp (High): 312215
        Timestamp (Low): 1690978218
        [Timestamp: Jun 29, 2012 02:28:25.298858000 Central Daylight Time]
        Captured Length: 314
        Packet Length: 314
        Packet Data
        Packet Padding
        Options
            Option: Comment = test009-1
            Option: Flags
            Option: Drop Count = 0
            Option: Unknown
                Code: Unknown (2988)
                Length: 13
                Option Data
                Option Padding
            Option: Unknown
                Code: Unknown (2989)
                Length: 15
                Option Data
                Option Padding
            Option: Unknown
                Code: Unknown (19372)
                Length: 14
                Option Data
                Option Padding
            Option: Unknown
                Code: Unknown (19373)
                Length: 13
                Option Data
                Option Padding
            Option: Unknown
                Code: Unknown (291)
                Length: 12
                Option Data
            Option: Unknown
                Code: Unknown (33059)
                Length: 12
                Option Data
            Option: End of Options
    Block Length (trailer): 500

Debug logging to see custom options in capture file:

Downloads$ tshark -r ./test009.pcapng --log-level "debug" 2>&1 | grep -i "custom option"
 ** (tshark:8452) 20:59:55.722790 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x0bac with unknown pen 1629513313 with custom data of length 9
 ** (tshark:8452) 20:59:55.722856 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x0bad with unknown pen 1936682341 with custom data of length 11
 ** (tshark:8452) 20:59:55.722919 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x4bac with unknown pen 1836654694 with custom data of length 10
 ** (tshark:8452) 20:59:55.722982 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x4bad with unknown pen 1836654694 with custom data of length 9
 ** (tshark:8452) 20:59:55.724484 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x0bac with unknown pen 1629513313 with custom data of length 9
 ** (tshark:8452) 20:59:55.724544 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x0bad with unknown pen 1936682341 with custom data of length 11
 ** (tshark:8452) 20:59:55.724607 [Wiretap DEBUG] C:\gitlab-builds\builds\MsQ3pox2\1\wireshark\wireshark\wiretap\pcapng.c:839 -- pcapng_process_custom_option(): Custom option type 0x4bac with unknown pen 1836654694 with custom data of length 10
 ** (tshark:8452) 20:59:55.724666 [Wiretap DEBUG] C:\gitlab-builds\builds ...

(more)

Chuckc

answered 2022-11-09 02:57:26 +0000, updated 2022-11-09 03:29:47 +0000

edit flag offensive 0 remove flag delete link

Comments

Support for custom options is pretty recent (3431: pcapng: add support for custom options) and not very robust

...and reeeeeeeeeeeeeallly needs support for 1) wiretap plugins and 2) libwireshark plugins, so precisely zero source changes to core Wireshark are needed.

Guy Harris (2022-11-09 07:03:47 +0000) edit

Thanks for the response Chuckc,

I have loaded the file and indeed I can see the options when I switch the view.

I'll create an enhancement request.

Thanks, Dave.

daved (2022-11-09 09:50:53 +0000) edit

Feature request created - https://gitlab.com/wireshark/wireshar...

daved (2022-11-10 14:39:31 +0000) edit

add a comment see more comments

Can wireshark display custom options from enhance packet block.

Comments

1 Answer

Comments

Your Answer

Can wireshark display custom options from enhance packet block. edit

Comments

1 Answer

Comments

Your Answer

Can wireshark display custom options from enhance packet block.