Wireshark-dev: Re: [Wireshark-dev] Extracting field values in a C post-dissector
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Paul Offord <Paul.Offord@xxxxxxxxxxxx>
Date: Tue, 6 Sep 2016 21:47:04 +0000

I’ve made some progress.  I traced MATE and looked at how it registers its post-dissector.  I now get a tree on the 1st scan.  I’ll write up some notes on C post-dissectors when I get something that works.

 

Best regards…Paul

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Paul Offord
Sent: 05 September 2016 23:12
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] Extracting field values in a C post-dissector

 

I've hit a problem.  WS scans the trace file twice.  I need access to protocol fields (e.g. tcp.len and smb2.ses_id) during the first scan.

 

Unfortunately with the C postdissector the tree value passed during the first scan is NULL.  During the second scan I do get the tree.

 

I guess the LUA code uses the proto_tree_prime_hfid() outlined below.

 

Any suggestions how I move forward gratefully accepted.

 

Sent from Samsung Mobile on O2

 

-------- Original message --------

From: Guy Harris

Date:05/09/2016 03:59 (GMT+00:00)

To: Developer support list for Wireshark

Subject: Re: [Wireshark-dev] Extracting field values in a C post-dissector

 

On Aug 22, 2016, at 6:40 AM, Pascal Quantin <pascal.quantin@xxxxxxxxx> wrote:

> By having a quick look at the code, I *think* you will want first to retrieve the hfindex of a given field by using proto_registrar_get_id_byname(), then mark it as "interesting" with proto_tree_prime_hfid()

...which you have to do before the dissection starts.

Unfortunately, you can't do that in a post-dissector.

So...

> aOr a cll to proto_find_finfo() should work also without the need to prime the field, but should be slower according to the comments in proto.h.

...you might have to do it that way, instead.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________


______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________