Re: Dissecting packet details field by field

[Guy Harris <guy () alum mit edu>]

(Redirecting to the developer list, as per Jeff Morriss's suggestion; it's the right place for questions about the 
Wireshark code base.  CCing wireshark-users in case you're not subscribed to wireshark-dev - if you're not, you should 
subscribe.)

On Jul 14, 2017, at 5:38 AM, David Schaeffer <david.schaeffer2 () gmail com> wrote:

> > On Wed, Jul 12, 2017 at 1:42 PM, David Schaeffer <david.schaeffer2 () gmail com wrote:
> >
> > > I'm currently working on pulling specific data from a packet once they've
> > > clicked on some packet detail. For example, if the user clicks on a bit
> > > code in the packet body, I want to also pull the source IP address of that
> > > packet. Is there a way to search the packet body by field name or pulling
> > > the packet details into an object of some sort to parse this information?
> > > Thanks for any assistance you can offer in this matter.
> >
> > Can you give a bit more context?  I assume that this is the context of
> > writing a protocol dissector?  What are you planning to do with, for
> > example, the IP address?
>
> Sure. So the goal of this is to allow us to graph bit codes from a packet that has already be dissected by a custom 
> packet dissector. We're making it so a user can right-click on the bit code they would like to graph, select graph, 
> and it'll bring up the IOGraph with that data, 0 or 1.

So you'd right click on a particular field in the protocol details pane, get a menu with "Graph" as one of the items, 
and it'd pop up an I/O graph for that field?

There's currently no mechanism for that in Wireshark, but it might be a useful *general* addition to Wireshark.

> The problem is we have multiple PLCs sending the same bit codes so just grabbing a filter for solely the bit code 
> doesn't work, as it pulls from every PLC.
> I need to grab the IP address with it to track the specific bit code from that specific PLC.

*That* would require adding the ability to register a per-field callback, with the default being one that causes a 
"standard" I/O graph to be popped up, and with your dissector specifying a callback grabbing the IP address and the 
value of the bit code.  That might call the "draw an I/O graph" code with another callback specified; that callback 
would indicate whether to use the packet or not.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe