Wireshark-dev: Re: [Wireshark-dev] Mentioning encapsulation type in Protocol column
From: Martin Kaiser <lists@xxxxxxxxx>
Date: Tue, 13 Mar 2012 23:07:20 +0100
Hi Lori and all,

Thus wrote Lori Jakab (ljakab@xxxxxxxxxx):

> AFAIK, currently the protocol displayed in the Protocol column of
> Wireshark is that of the last dissector called on the packet. This makes
> it difficult to distinguish among packets with or without some type of
> encapsulation, unless filtering is employed. That is, a "regular" ICMP
> packet and a GRE encapsulated ICMP packet are both simply listed as ICMP.

> It would be a great feature to be able to see at a glance, when
> monitoring all traffic (especially with tshark), which packets are GRE
> or LISP (or any other encapsulating header) encapsulated. So, with the
> example above, instead of showing just ICMP, the Protocol field would
> display ICMP/GRE or ICMP/LISP.

> Is this possible with the current API?

probably not in the protocol column. Most (if not all) dissectors call
col_set_str(pinfo->cinfo, COL_PROTOCOL, "my protocol"); and clear the
previous content.

I just tried defining a custom column as follows
- select any packet
- open "Frame" in the tree
- select "Protocols in Frame"
- right click, "Apply as column"

That'll give you a colon-separated list of protocols in the column.
Hopefully, that's what you need.

Best regards,

   Martin