User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 0.99.7

111

112

113

114

115

116

117

118

119

120

}

Now the dissection is starting to look more interesting. We have picked apart our first bit of the pro-

tocol. One byte of data at the start of the packet that defines the packet type for foo protocol.

The proto_item_add_subtree call has added a child node to the protocol tree which is where we will

do our detail dissection. The expansion of this node is controlled by the ett_foo variable. This re-

members if the node should be expanded or not as you move between packets. All subsequent dis-

section will be added to this tree, as you can see from the next call. A call to proto_tree_add_item in

the foo_tree, this time using the hf_foo_pdu_type to control the formatting of the item. The pdu type

is one byte of data, starting at 0. We assume it is in network order, so that is why we use FALSE.

Although for 1 byte there is no order issue it's best to keep this correct.

If we look in detail at the hf_foo_pdu_type declaration in the static array we can see the details of

the definition.

• hf_foo_pdu_type - the index for this node.

• FOO PDU Type - the label for this item.

• foo.type - this is the filter string. It enables us to type constructs such as foo.type=1 into the filter

box.

• FT_UNIT8 - this specifies this item is an 8bit unsigned integer. This tallies with our call above

where we tell it to only look at one byte.

• BASE_DEC - for an integer type, this tells it to be printed as a decimal number. It could be

BASE_HEX or BASE_OCT if that made more sense.

We'll ignore the rest of the structure for now.

If you install this plugin and try it out, you'll see something that begins to look useful.

Now let's finish off dissecting the simple protocol. We need to add a few more variables to the hf ar-

ray, and a couple more procedure calls.

Example 9.9. Wrapping up the packet dissection.

static int hf_foo_flags = -1;

static int hf_foo_sequenceno = -1;

static int hf_foo_initialip = -1;

...

{ &hf_foo_flags,

{ "FOO PDU Flags", "foo.flags",

FT_UINT8, BASE_HEX,

NULL, 0x0,

NULL, HFILL }

{ &hf_foo_sequenceno,

{ "FOO PDU Sequence Number", "foo.seqn",

FT_UINT16, BASE_DEC,

NULL, 0x0,

NULL, HFILL }

{ &hf_foo_initialip,

{ "FOO PDU Initial IP", "foo.initialip",

FT_IPv4, BASE_NONE,

NULL, 0x0,

NULL, HFILL }

gint offset = 0;

ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, FALSE);

foo_tree = proto_item_add_subtree(ti, ett_foo);

Packet dissection

105