Wireshark-dev: Re: [Wireshark-dev] dissecting multiple items inside one frame
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Tue, 26 Aug 2008 09:34:00 -0400


Zoran Bošnjak wrote:
Dear wireshark developers,
please advice how to dissect multiple pdus inside single udp payload. There are some examples how to reassamble fragmented payload and disselection is then seen on last frame (not sure??). But I couldn't find any example for opposite problem, how to first split payload and then dissect each part independantly as if it was captured alone.

Could this be done inside dissector or prior to dissector?

My protocol inside UDP payload is in the form:
[type(1byte)][len(2bytes)][data(variable)][type][len][data]...[type][len][data]

After dissecting everything, I would like to have a separate line (in a main window) for each pdu ([type][len][data]) so that I could use "Info" column for each subitem and to filter (and display) only individual subitems.

For now I am only able to dissect all PDUs inside the same tree (multiple subtrees in dissect window), but display filtering does not work or is very limited in this case.

Yes, Wireshark is built around the concept of a frame containing only a single PDU. With SCTP, too, (which frequently bundles upper layer PDUs together) we have the problem of many PDUs in a single frame which can make (display) filtering problematic.

One idea for the packet list frame:

http://www.wireshark.org/lists/wireshark-dev/200606/msg00147.html

looks appealing to me but AFAIK isn't possible in the current GTK, uh, "thingy" (forget the term) that the Wireshark GUI uses.