headers
Guy Harris | 1 Apr 2009 01:01
Picon
Favicon

Re: Filtering


On Mar 31, 2009, at 3:53 PM, gogrady@... wrote:

> I think that answer my question. So it looks like my best bet is to  
> use the hidden field and just go with bad UI eh?

Your *best* bet might be to find a way of dissecting the packet that  
doesn't involve your DLL, given the problems you've been having trying  
to use it in Wireshark (probably because it was never designed for use  
in Wireshark, and so is a bad fit for Wireshark; square pegs fit into  
round holes only with a lot of hard pounding and perhaps some ugly  
noises and damage to peg, hole, or both).

Code such as

	time = (_GetMsgTime)();
	pi = proto_tree_add_text(icom_message_tree, tvb, 0, 0, "Time: %s",  
time);

is suboptimal UI even if you completely ignore filtering issues - you  
can't click on the "Time: %s" line and see what packet data  
corresponds to it, for example.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@...>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@...?subject=unsubscribe
Permalink | Reply | 1 comment |
headers
gogrady | 1 Apr 2009 01:22
Picon

Re: Filtering

The only way to dissect this protocol is through the dll, i cannot create it soley in the plugin as is the
design requirements. I'm working on functions that will show the bytes for the corresponding packet
section and currently have all but the last level of dissection level of the protocol.

Greg

Guy Harris wrote:
> On Mar 31, 2009, at 3:53 PM, gogrady@... wrote:
>
>> I think that answer my question. So it looks like my best bet is to  
>> use the hidden field and just go with bad UI eh?
>
> Your *best* bet might be to find a way of dissecting the packet that  
> doesn't involve your DLL, given the problems you've been having trying  
> to use it in Wireshark (probably because it was never designed for use  
> in Wireshark, and so is a bad fit for Wireshark; square pegs fit into  
> round holes only with a lot of hard pounding and perhaps some ugly  
> noises and damage to peg, hole, or both).
>
> Code such as
>
> 	time = (_GetMsgTime)();
> 	pi = proto_tree_add_text(icom_message_tree, tvb, 0, 0, "Time: %s",  
> time);
>
> is suboptimal UI even if you completely ignore filtering issues - you  
> can't click on the "Time: %s" line and see what packet data  
> corresponds to it, for example.

___________________________________________________________________________
(Continue reading)

Permalink | Reply | 1 comment |
headers
Guy Harris | 1 Apr 2009 01:25
Picon
Favicon

Re: Filtering


On Mar 31, 2009, at 4:01 PM, Guy Harris wrote:

> Your *best* bet might be to find a way of dissecting the packet that
> doesn't involve your DLL, given the problems you've been having trying
> to use it in Wireshark (probably because it was never designed for use
> in Wireshark, and so is a bad fit for Wireshark; square pegs fit into
> round holes only with a lot of hard pounding and perhaps some ugly
> noises and damage to peg, hole, or both).

Now, in cases where the DLL returns something useful for Wireshark,  
rather than just a human-readable text string - i.e., where it returns  
the raw value from the packet - you could use proto_tree_add_uint() to  
add the value to the protocol tree; that would make it filterable, and  
Wireshark would display it for you.

If you're really ambitious, in cases such as

	time = (_GetMsgTime)();
	pi = proto_tree_add_text(icom_message_tree, tvb, 0, 0, "Time: %s",
time);

you could try parsing the string you get back from the DLL and convert  
it to a value that you could hand to a proto_tree_add routine.

If the DLL doesn't hand you the raw offset in the packet data for a  
field, or the raw length of the data for the field, you still wouldn't  
be able to pass the real offset and length fields to the  
proto_tree_add routines, so you still wouldn't be able to click on the  
field and see which particular bytes in the packet correspond to the
(Continue reading)

Permalink | Reply | 0 comments |
headers
Guy Harris | 1 Apr 2009 01:30
Picon
Favicon

Re: Filtering


On Mar 31, 2009, at 4:22 PM, gogrady@... wrote:

> The only way to dissect this protocol is through the dll, i cannot  
> create it soley in the plugin as is the design requirements.

Can you tell whoever imposed those design requirements that perhaps  
they should impose *on the DLL* a design requirement that there be  
ways of getting, for each field, the *raw data* rather than some  
"helpful" human-readable interpretation of the field - and that it  
return the raw byte offset and length-in-bytes of a field, if it  
doesn't do so already -  if they're going to make use of the DLL a  
requirement for the design of the Wireshark dissector?

Otherwise, it's somewhat like imposing a design requirement on a house  
that the only form of hammers to be used when building the house are  
sledgehammers, even for hammering nails into walls.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@...>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@...?subject=unsubscribe
Permalink | Reply | 0 comments |
headers
mirtaher | 1 Apr 2009 05:00
Picon
Picon
Favicon

how to get Wireshark directory path ?

Hi,

I am writing a plug in to dissect MPICH packets and I need the absolute
path of the wireshark home directory so I can access a shell file on my
plug in folder.

I.e. <wiresharkfolder>/plugins/mpich/≤myshell file.>

Is there any environment variable or wireshark variable that store it, or
any other way I can get it ?

Appreciate any help.
Seyed.
_________________________________________

Seyed M. Mirtaheri
+1 (778) 883 3500
Department of Computer Science
University of British Columbia

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@...>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@...?subject=unsubscribe
Permalink | Reply | 1 comment |
headers
gogrady | 1 Apr 2009 05:28
Picon

Re: Filtering

hello,

well theres no way i can change how the lib dissects since it is used in many more programs than just
wireshark. i am creating a dll interface between wireshark plugin and the protocol lib, it returns the
human readable information because that is what is needed for the more important programs that my company
is developing. There are ways in my dll and lib to get the size of the raw data so that when i highlight in
wireshark it highlights the correct bytes in the raw data section, i have functions that i can pass to the
proto_tree_add_'s for length that do this, and i have a variable "offset" that keeps track of the current
placement in the raw data. The design is and must stay as the raw data is passed plugin -> interface -> lib and
then the human readable char * or int from lib -> interf
 ace -> plugin and must be done as so. Unless you have another idea for outputing these types to make
filterable, it seems to me that the only way is to use the hidden items along with the ad
 d_text.

Any other ideas? Hopefully you can understand that i would do it differently if i could, but unfortunately
this is not the most important project and is only used for troubleshooting the complex protocol in which
my company wants to use their already made lib,

Thank you for all the help, it has helped me better understand wireshark dissection,

Greg

Guy Harris wrote:
> On Mar 31, 2009, at 4:22 PM, gogrady@... wrote:
>
>> The only way to dissect this protocol is through the dll, i cannot  
>> create it soley in the plugin as is the design requirements.
>
> Can you tell whoever imposed those design requirements that perhaps  
> they should impose *on the DLL* a design requirement that there be
(Continue reading)

Permalink | Reply | 501 comments |
headers
Guy Harris | 1 Apr 2009 05:39
Picon
Favicon

Re: Filtering


On Mar 31, 2009, at 8:28 PM, gogrady@... wrote:

> i am creating a dll interface between wireshark plugin and the  
> protocol lib, it returns the human readable information because that  
> is what is needed for the more important programs that my company is  
> developing.

That's *all* that's needed?  And they won't make changes to allow the  
DLL to be used conveniently in protocol analyzers as well?

> There are ways in my dll and lib to get the size of the raw data so  
> that when i highlight in wireshark it highlights the correct bytes  
> in the raw data section, i have functions that i can pass to the  
> proto_tree_add_'s for length that do this, and i have a variable  
> "offset" that keeps track of the current placement in the raw data.  
> The design is and must stay as the raw data is passed plugin ->  
> interface -> lib and then the human readable char * or int from lib - 
> > interface -> plugin and must be done as so. Unless you have  
> another idea for outputing these types to make filterable, it seems  
> to me that the only way is to use the hidden items along with the  
> add_text.

The idea that I've already mentioned is that:

	for the cases where the library returns an int, if the int value is  
the raw data for the field, use it in proto_tree_add_uint() or  
proto_tree_add_int();

	for the cases where the library human-readable string, parse the
(Continue reading)

Permalink | Reply | 501 comments |
headers
Maynard, Chris | 1 Apr 2009 16:29

Re: Filtering

I sort of hate to jump back in here because Guy really knows his stuff
and I think he's already given the best advice, but I thought I would
try to provide a more concrete example of what Guy is referring to with
the proto_tree_add_format_value_{something other than text} reference
...

Using the original "time" example, I think the following pseudo-code
should more-or-less do the job:

static int hf_icom_time = -1;

dissect_icom(...) {
    ...
    time = (_GetMsgTime)();
    pi = proto_tree_add_string_format_value(icom_message_tree,
hf_icom_time, tvb, 0, 0, time, "%s", time);
    ...
}

...

    { &hf_icom_time,
        { "Time", "icom.time", FT_STRINGZ, BASE_NONE,
        NULL, 0x00, "", HFILL }
    },
...

- Chris

> -----Original Message-----
(Continue reading)

Permalink | Reply | 0 comments |
headers
Gerhard Gappmeier | 1 Apr 2009 18:32
Gravatar

OPCUA Update

Hi all,


the most OPC UA Specifications are released meanwhile.
Also Part 6 which describes the protocol.
So it was overdue to update the wireshark opcua plugin.


Really a lot changed since the last update: transport, security and application layer, so this is a big update.


I attached the patch that will update the code.
It's only tested on Linux, but buildbot while verify the other platforms anyway.


I also attached a sample capture file for fuzzy testing.


What is really missing is a configuration option in Edit->preferences
where you can configure the port. Default is port 4840,
which is also the registered port for OPCUA.
But a lot of servers will run on other ports, so a configuration option would be nice.


Maybe somebody can help at this point, because I have no clue about the
wireshark GUI stuff.


--
mit freundlichen Grüßen / best regards


Gerhard Gappmeier
ascolab GmbH - automation systems communication laboratory
Tel.: +49 9131 691 123
Fax: +49 9131 691 128
Web: http://www.ascolab.com
GPG-Key: http://www.ascolab.com/gpg/gg.asc



Attachment (cppserver.cap): application/octet-stream, 52 KiB
Attachment (opcuaV1.patch): text/x-patch, 392 KiB
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@...>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@...?subject=unsubscribe
Permalink | Reply | 3 comments |
headers
buildbot | 1 Apr 2009 19:37
Favicon

buildbot failure in Wireshark (development) on Ubuntu-7.10-x86-64

The Buildbot has detected a new failure of Ubuntu-7.10-x86-64 on Wireshark (development).
Full details are available at:
 http://buildbot.wireshark.org/trunk/builders/Ubuntu-7.10-x86-64/builds/843

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: ubuntu-7.10-x86

Build Reason: 
Build Source Stamp: HEAD
Blamelist: etxrab,wmeier

BUILD FAILED: failed fuzz-menagerie

sincerely,
 -The Buildbot

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@...>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@...?subject=unsubscribe
Permalink | Reply | 0 comments |

Gmane