First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to filter by item?

  • retag add tags

I developed a proprietary dissector and a packet contains several messages.

proto_body = proto_register_protocol("Body", "BODY", "body");

For each message, I add:

proto_item *ti_body = proto_tree_add_item(tree, proto_body, tvb, HEADER_SIZE, length-4, ENC_NA);
proto_tree *tree_body = proto_item_add_subtree(ti_body, ett_body);

Nevertheless, when I filter, it filters what a packet contain.

If each message has a name and family fields, doing body.name==alex and body.family==human, it will filter all the packets containing these 2 conditions, but not in the same item.

Let's say it would accept a packet with 2 messages:

[0]
name=marcus
family=human  --> condition OK
[1]
name=alex
family=cat  --> condition OK

But I want it to filter only if the conditions are true in a single message.

[0]
name=alex  --> condition OK
family=cat  --> condition OK

Regards,

alexis's avatar
3
alexis
asked 2024-01-07 07:58:18 +0000, updated 2024-01-07 07:58:36 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Thank you very much for you answers!

A frame can contain tens of "body" items, I'd be fine with a macro if I can make it more dynamic.

Or, is there a way to virtually duplicate/split a frame into several frames? I would split all the items into different frames and the filter would work. A bit in a way the packet reassembly works for TCP but opposite. I have a different parser for that but I'd like to keep one application, wireshark if possible.

Thanks!

alexis's avatar alexis (2024-01-08 12:29:47 +0000) edit
more
  • delete

Are you open to adding some Lua code and a menu item for users to specify the search criteria?

I developed a proprietary dissector ...


Oops - you could just do it in your dissector code. Add a field (could be hidden) to each body for a search string that combines name and family (e.g. "alex|human"). Not pretty but probably quicker than experimenting with Chapter 12. MATE which may or may not be a possible solution.

Chuckc's avatar Chuckc (2024-01-09 00:26:14 +0000) edit
more
  • delete

Thanks! This request is for a proprietary protocol but I might also contribute to other protocols in wireshark. Do you have a dissector name I can look at?

Adding a hidden field is also feasible for me! Good idea, thanks!

alexis's avatar alexis (2024-01-10 01:54:10 +0000) edit
more
  • delete

packet-imap.c:

static int hf_imap_isrequest;
...
  hidden_item = proto_tree_add_boolean(imap_tree, hf_imap_isrequest, tvb, 0, 0, is_request);
  proto_item_set_hidden(hidden_item);
The Ultimate PCAP has imap packets.

Total displayed packets for imap.isrequest==1 and imap.isrequest==0 total to displayed for just imap.isrequest.

Examples of adding a string field:
packet-asterix-template.c:

proto_tree_add_string (parent, *field->part[i]->hf, tvb, offset_in_tvb, length_in_tvb, str_buffer);

packet-gsm_um.c:

proto_tree_add_string(gsm_um_tree, hf_gsm_um_direction, tvb, 0, 0, "Uplink");

file-file.c:

gchar* str = p_get_proto_name_and_key(wmem_file_scope(), pinfo, i);
proto_tree_add_string_format(fh_tree, hf_file_proto_name_and_key, tvb, 0, 0, str, "%s", str);
Chuckc's avatar Chuckc (2024-01-10 02:54:10 +0000) edit
more
  • delete

Perfect! Thank you so much! That speeds up my implementation!

alexis's avatar alexis (2024-01-12 06:46:58 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

I'm not sure if this will work for the way your protocol adds the multiple messages to the tree, but if it does, the layer operator might come in handy. Of course that will only work if you have a limited amount of messages per packet. You could try the following:

(body.name[1]==alex and body.family[1]==human) or (body.name[2]==alex and body.family[2]==human) or (body.name[3]==alex and body.family[3]==human) or (body.name[4]==alex and body.family[4]==human)

You might want to make a display filter macro for it like

  • macro name: NameFamily
  • macro expression: (body.name[1]==$1 and body.family[1]==$2) or (body.name[2]==$1 and body.family[2]==$2) or (body.name[3]==$1 and body.family[3]==$2) or (body.name[4]==$1 and body.family[4]==$2)

So you can then use the display filter ${NameFamily:alex;human}

SYN-bit's avatar
18.5k
SYN-bit
answered 2024-01-08 09:33:31 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2024-01-08 14:21:08 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you very much for you answer!

A frame can contain tens of "body" items, I'd be fine with a macro if I can make it more dynamic.

alexis's avatar alexis (2024-01-10 01:51:20 +0000) edit
more
  • delete
add a comment see more comments
0

But I want it to filter only if the conditions are true in a single message.

Unfortunately, the Wireshark filtering engine currently has no notion of "within a single message", so there's no way to do that.

Guy Harris's avatar
19.9k
Guy Harris
answered 2024-01-08 07:21:10 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Too bad but it seems there is an alternative, thank you very much for you answer!

alexis's avatar alexis (2024-01-10 01:51:43 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer