Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Plugin dissector - lookup expert_field_info

From: <jayrturner99 () gmail com>
Date: Sat, 23 Jan 2021 20:35:42 -0600
I would like to write "prot.has.error" in the filter and find all of my packets that have any condition that my 
dissector determines to be "an error". Otherwise I have to type a filter like
         prot && (_ws.expert.severity == "Error" || _ws.expert.severity == "Warn")

To do that now, I have to write something like
        if ({condition})
        {
                expert_add_info(pinfo, pitem, efield);
                my_prot_context.has_error = TRUE;
        }
for each condition in my dissector code. Instead, I would like to write methods such as
        ei_add_if_is_gint(pinfo, pitem, expected_gint, efield);
and have the methods do
        ei_add_if_is_gint(...)
        {
                if (expected_gint == (gint)proto_item_get_guint(pitem))
                {
                        expert_field_info* eiinfo;
                        expert_add_info(pinfo, pitem, efield);
                        EXPERT_REGISTRAR_GET_NTH(efield->ei, eiinfo);
                        if (PI_ERROR == eiinfo->severity || PI_WARN == eiinfo->severity)
                                my_prot_context.has_error = TRUE;
                }
        }
Otherwise, my dissector code will be sprinkled with the above block of "if"s instead of easily maintained 
ei_add_if_is_gint() and similar calls.

Thank you,
Jay Turner

-----Original Message-----
From: Wireshark-dev <wireshark-dev-bounces () wireshark org> On Behalf Of Guy Harris
Sent: Saturday, January 23, 2021 8:01 PM
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] Plugin dissector - lookup expert_field_info

On Jan 23, 2021, at 1:06 PM, jayrturner99 () gmail com wrote:


I want to wrap expert_add_info calls so that I can check the expert_field* argument, see if the severity is PI_ERROR, 
and set a generated field in my protocol that says “this packet has errors”.


For what purpose?

There's already something in the protocol tree saying "this packet has errors", namely the added expert info.

A packet-matching expression that will match all packets that have a PI_ERROR expert info is

        _ws.expert.severity == "Error"

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: