Wireshark-dev: Re: [Wireshark-dev] expert_add_info_format() usage with undecoded/unknown data
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Jakub Zawadzki <darkjames@xxxxxxxxxxxxxxxx>
Date: Tue, 24 Feb 2009 20:43:53 +0100
Hi,

On Wed, Feb 18, 2009 at 07:55:02PM +0100, wsgd wrote:
> The possibility to make a Display filter on 'expert data' seems very 
> good to me.
> It could permits to see all packets where there is an error (or ...).
> Seems an important feature to me.
> 
> But, I think it does not exist.

I do some work on it, in attachment initial version :)

> So, "gg.unknown" is the way to do.
> Same way to do into packet-tcp.c : "hf_tcp_checksum_bad" ...
> 
> Note that you can filter using "gg.unknown" without any value (if you 
> add your "unknown" field only "when something unknown happens").

I didn't know about that, thanks!

Index: epan/expert.c
===================================================================
--- epan/expert.c	(wersja 27532)
+++ epan/expert.c	(kopia robocza)
@@ -36,9 +36,15 @@
 
 
 static int expert_tap = -1;
+static int proto_expert = -1;
 static int highest_severity = 0;
 
+static int ett_expert = -1;
+static int ett_subexpert = -1;
 
+static int hf_expert_group = -1;
+static int hf_expert_severity = -1;
+
 const value_string expert_group_vals[] = {
 	{ PI_CHECKSUM,		"Checksum" },
 	{ PI_SEQUENCE,		"Sequence" },
@@ -65,10 +71,30 @@
 void
 expert_init(void)
 {
+	static hf_register_info hf[] = {
+		{ &hf_expert_group, 
+			{ "Group", "expert.group", FT_UINT32, BASE_HEX, VALS(expert_group_vals), 0/* PI_GROUP_MASK */, "Wireshark expert group", HFILL }
+		},
+		{ &hf_expert_severity, 
+			{ "Severity level", "expert.severity", FT_UINT32, BASE_HEX, VALS(expert_severity_vals), 0/* PI_SEVERITY_MASK */, "Wireshark expert severity level", HFILL }
+		}
+	};
+	static gint *ett[] = {
+		&ett_expert,
+		&ett_subexpert
+	};
+
 	if(expert_tap == -1) {
 		expert_tap = register_tap("expert");
 	}
 
+	if (proto_expert == -1) {
+		proto_expert = proto_register_protocol("Expert Info", "Expert", "expert");
+		proto_register_field_array(proto_expert, hf, array_length(hf));
+		proto_register_subtree_array(ett, array_length(ett));
+		proto_set_cant_toggle(proto_expert);
+	}
+
 	highest_severity = 0;
 }
 
@@ -100,7 +126,22 @@
 	}
 }
 
+static proto_tree*
+expert_create_tree(proto_item *pi, int group, int severity)
+{
+	proto_tree *tree;
+	proto_item *ti;
 
+	tree = proto_item_add_subtree(pi, ett_expert);
+	/* ti = proto_tree_add_item(tree, proto_expert, NULL, 0, 0, FALSE); */
+	ti = proto_tree_add_protocol_format(tree, proto_expert, NULL, 0, 0, "Expert Info (%s/%s)", 
+		val_to_str(severity, expert_severity_vals, "?%u?"),
+		val_to_str(group, expert_group_vals, "?%u?"));
+
+	/* another subtree? */
+	return proto_item_add_subtree(ti, ett_subexpert);
+}
+
 static void
 expert_set_info_vformat(
 packet_info *pinfo, proto_item *pi, int group, int severity, const char *format, va_list ap)
@@ -108,6 +149,7 @@
 	int				ret;	/*tmp return value */
 	char			formatted[300];
 	expert_info_t	*ei;
+	proto_tree	*tree;
 
 
 	/* if this packet isn't loaded because of a read filter, don't output anything */
@@ -132,6 +174,10 @@
 	ei->summary		= ep_strdup(formatted);
 	ei->pitem       = NULL;
 
+	tree = expert_create_tree(pi, group, severity);
+	proto_tree_add_uint(tree, hf_expert_severity, NULL, 0, 0, severity);
+	proto_tree_add_uint(tree, hf_expert_group, NULL, 0, 0, group);
+
 	/* if we have a proto_item (not a faked item), set expert attributes to it */
 	if(pi != NULL && pi->finfo != NULL) {	
         ei->pitem       = pi;