First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

What is a field type of label?

  • retag add tags

When reading through the Display Filter Reference, most of the field types are pretty straight forward.

However, what is the Label field type?

More specifically I am looking at: https://www.wireshark.org/docs/dfref/...

In version 2.6.1 the only thing I see available related to the payload is: websocket.payload Payload Label

What does it mean here by Label?

I'd expect to see a type of sequence of bytes for the payload, but cannot find one for 2.6.1, only the one that indicates type Label.

Thanks.

ahaywood's avatar
3
ahaywood
asked 2018-06-09 00:33:10 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

What does it mean here by Label?

It means that the field doesn't have a value, and just acts as a "label" for other data in the packet.

It should be used for "composite" data, such as structures and arrays, for example. However, it shouldn't be used for uninterpreted blobs of bytes in the packet, but people might use it instead of "Sequence of bytes", for example, because they don't want a large blob of bytes to display as a whole bunch of hex digits.

Wireshark should probably allow the developer to indicate whether a "Sequence of bytes" displays as the hex data or as, for example, the count of bytes, e.g.

Frobozz: DEADBEEFCAFEBABE

vs.

Frobozz: 16 bytes

and the cases where "Label" is used for uninterpreted blobs of bytes should be changed to work that way.

(For the benefit of Wireshark developers reading this, "Label" means FT_NONE and "Sequence of bytes" means FT_BYTES.)

Guy Harris's avatar
19.9k
Guy Harris
answered 2018-06-09 02:47:21 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Not in favour of that suggestion. It's all nice and clean when the packets are correct, when looking at errored packets (one of the important reasons to look at packet with Wireshark) I want to see that misaligned data right there and then.

Also, who wants to miss out on the DEADBEEFCAFEBABE? She's smoking.

Jaap's avatar Jaap (2018-06-09 07:40:17 +0000) edit
more
  • delete

Not in favour of that suggestion.

The suggestion to allow the Wireshark core to do the work that some dissectors already do by hand of displaying a byte count for FT_BYTES fields rather than showing the first N bytes of the field in hex? (N = 16 in the master branch.)

There are about 303 calls to proto_tree_add_bytes_format() and proto_tree_add_bytes_format_value() in the epan/dissectors tree in the master branch; I don't know how many of them format the value as "N bytes", but, for what it's worth, there are about 426 instances of "%d byte" and "%u byte" that aren't on the same line as proto_item_append_text, col_add_fstr, col_append_fstr, and g_strdup_printf, so a number of them might be doing what is being suggested. Others might just be giving it a name such as "mumble nonce" - "N bytes" isn't useful if it's a fixed-length field.

It's all ...

(more)
Guy Harris's avatar Guy Harris (2018-06-09 18:46:37 +0000) edit
more
  • delete

In a nutshell, "Label type" has no value?

If that is the case, then I will accept this as the answer.

I do have a followup question though, which, if I need to I'll create a new question for (just let me know), but since we are on the topic.

If the Label type has no value, what field does have the unmasked websocket payload sequence of bytes (or equivalent)?

ahaywood's avatar ahaywood (2018-06-11 19:15:59 +0000) edit
more
  • delete

I believe I found the answer as to where the data is.

It looks like the websocket dissector passes the unmasked payload to the data dissector, and it is exposed in field data.data

ahaywood's avatar ahaywood (2018-06-11 20:44:28 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer