Wireshark mailing list archives

Re: Packet Diagram shows only raw bytes of a subtree instead of individual fields

From: John Thacker <johnthacker () gmail com>
Date: Thu, 26 Nov 2020 14:03:56 -0500

On Thu, Nov 26, 2020 at 1:19 PM Maynard, Christopher via Wireshark-dev <
wireshark-dev () wireshark org> wrote:

Many protocols contain subtrees, such as a header with various fields that
are part of the header, and it’s convenient/logical to group those fields
within the header subtree.  However, doing so results in a Packet Diagram
that only shows the raw bytes of the subtree rather than the individual
fields contained within the subtree.

So either I’m doing something wrong, in which case I welcome any
suggestions for improving the display, or there seems to be a current
limitation to the way the Packet Diagram behaves with respect to subtrees.
Has anyone else noticed this?
...

Is there a way to achieve this while still grouping the fields within a
subtree?


Not in a subtree currently. If you look around line 600 of
ui/qt/packet-diagram.cpp, you'll see that it only groups the top level
fields in each protocol.

For the same reason, bitmask fields that are grouped together not in a
subtree, using proto_tree_add_bitmask_list()
(like packet-rtp.c#L2072 with octet1_fields), then they are displayed
separately (in master, post commit
https://gitlab.com/wireshark/wireshark/-/commit/7654bb260d08fdb7adeafce1877fa3c38f3465ae
), whereas
for bitmask fields that are added with a subtree with
proto_tree_add_bitmask() only the top level header
item appears.

You can see some images here:
https://gitlab.com/wireshark/wireshark/-/merge_requests/959
There you can see bitmask fields that are displayed properly because there
is no subtree.

I agree it would be a nice enhancement to travel down into the children of
items that have children, though I imagine
you'd have to take care in some cases; e.g., dissect_e164_msisdn() from
packet-e164.[ch] is used a lot in various dissectors,
and has a header that has the entire number, with child that only has the
country code (but not a child for the non country code digits).
The simplest way to descend into the subtree for a E.164 number would thus
only has an entry for the country code but leave the
other bits blank. Or you could have issues with dealing with overlaps.

John Thacker

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Packet Diagram shows only raw bytes of a subtree instead of individual fields Maynard, Christopher via Wireshark-dev (Nov 26)
- Re: Packet Diagram shows only raw bytes of a subtree instead of individual fields Graham Bloice (Nov 26)
- Re: Packet Diagram shows only raw bytes of a subtree instead of individual fields John Thacker (Nov 26)
  - Re: Packet Diagram shows only raw bytes of a subtree instead of individual fields Gerald Combs (Nov 30)
    - Re: Packet Diagram shows only raw bytes of a subtree instead of individual fields ronnie sahlberg (Nov 30)