Wireshark mailing list archives
Re: Plugin dissector - lookup expert_field_info
From: <jayrturner99 () gmail com>
Date: Sat, 23 Jan 2021 20:35:42 -0600
I would like to write "prot.has.error" in the filter and find all of my packets that have any condition that my dissector determines to be "an error". Otherwise I have to type a filter like prot && (_ws.expert.severity == "Error" || _ws.expert.severity == "Warn") To do that now, I have to write something like if ({condition}) { expert_add_info(pinfo, pitem, efield); my_prot_context.has_error = TRUE; } for each condition in my dissector code. Instead, I would like to write methods such as ei_add_if_is_gint(pinfo, pitem, expected_gint, efield); and have the methods do ei_add_if_is_gint(...) { if (expected_gint == (gint)proto_item_get_guint(pitem)) { expert_field_info* eiinfo; expert_add_info(pinfo, pitem, efield); EXPERT_REGISTRAR_GET_NTH(efield->ei, eiinfo); if (PI_ERROR == eiinfo->severity || PI_WARN == eiinfo->severity) my_prot_context.has_error = TRUE; } } Otherwise, my dissector code will be sprinkled with the above block of "if"s instead of easily maintained ei_add_if_is_gint() and similar calls. Thank you, Jay Turner -----Original Message----- From: Wireshark-dev <wireshark-dev-bounces () wireshark org> On Behalf Of Guy Harris Sent: Saturday, January 23, 2021 8:01 PM To: Developer support list for Wireshark <wireshark-dev () wireshark org> Subject: Re: [Wireshark-dev] Plugin dissector - lookup expert_field_info On Jan 23, 2021, at 1:06 PM, jayrturner99 () gmail com wrote:
I want to wrap expert_add_info calls so that I can check the expert_field* argument, see if the severity is PI_ERROR, and set a generated field in my protocol that says “this packet has errors”.
For what purpose? There's already something in the protocol tree saying "this packet has errors", namely the added expert info. A packet-matching expression that will match all packets that have a PI_ERROR expert info is _ws.expert.severity == "Error" ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Plugin dissector - lookup expert_field_info jayrturner99 (Jan 23)
- Re: Plugin dissector - lookup expert_field_info Guy Harris (Jan 23)
- Re: Plugin dissector - lookup expert_field_info jayrturner99 (Jan 23)
- Re: Plugin dissector - lookup expert_field_info Guy Harris (Jan 23)