How to add a custom field in Wireshark which is delta of a field in frames

edit

Hello,

Thanks for the reply. Is there any possibility to have it in dissector, is that easy to do, if so can you any sample to share, so that i use it and build for my requirement. Using Lua programming or something in wireshark where i edit the dissector itself. It is for (protocol SV and the field for which i would like to find delta is smpCnt)

Regards, S.Senthil

Have a look at MATE, now also described in Chapter 12 of the Wireshark User Guide; you might be able to use it to accomplish your goal.

Hello, Using MATE, We cannot find the difference in smpCnt which is usually incremented by 1 for every frame. We can extract the Pdu from smpCnt from Frame, but you dont have start or stop of Gop and you dont have any subtraction Operator for the smpCnt.

If MATE doesn't provide what you need (or doesn't provide everything that you need), you may need to write a Lua post-dissector instead, or you may even require a combination of both MATE and a Lua post-dissector to achieve your goal. I think it should be possible though.

MATE is out of question here.

In Lua, you have to build a "table" (array) of the delta values, indexed by frame number, and use that table to store your deltas. Each dissector is called many times as you work in Wireshark, but there is a first pass during which all the packets are dissected in sequence, and during this pass you can calculate the deltas by storing the absolute value of the field and using the stored value from the previous packet when dissecting the next one. Of course, if several unrelated streams of the same protocol can appear in the capture, you have to use another (smaller) table indexed by values of the distinctive identifier of these streams to keep the previous absolute values of the field for calculating the deltas.