Wireshark mailing list archives
Re: Reading packet comment in a dissector?
From: Martin Mathieson <martin.r.mathieson () googlemail com>
Date: Tue, 18 Oct 2016 09:13:26 +0100
I was able to do this at least for now (thanks Anders). if (tree != NULL) { GPtrArray *items = proto_all_finfos(tree); if (items) { guint i; /* TODO: if get past "frame" entries, not going to be found, so break. */ for (i=0; i< items->len; i++) { field_info *field = (field_info *)g_ptr_array_index(items,i); if (strcmp(field->hfinfo->abbrev, "frame.comment") == 0) { value = field->value.value.string; break; } } g_ptr_array_free(items,TRUE); } } On Mon, Oct 17, 2016 at 3:33 PM, Martin Mathieson <martin.r.mathieson () googlemail com> wrote:
Hi, I am trying to read the per-packet (user) comment in a post-dissector. Calling epan_get_user_comment(pinfo->epan, pinfo->fd) doesn't work - it the epan_session callback for get_user_comment() is set to NULL. The callback that is set in places where the comment is available uses ws_get_user_comment() as its callback, which looks up a hash table in the capture_file struct. I need to leave this for now, but if anyone happens to have looked into this before I'd be grateful to hear about it. Best regards, Martin P.S. This may be a hacky thing to want to do, but my motivation is to at least demo being able to show Snort alerts this week by reading the comment (attached by TraceWrangler) rather than running Snort from within the post-dissector
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Reading packet comment in a dissector? Martin Mathieson (Oct 17)
- Re: Reading packet comment in a dissector? Martin Mathieson (Oct 18)