Wireshark-dev: Re: [Wireshark-dev] expert_add_info_format() usage with undecoded/unknown data
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 25 Feb 2009 01:57:10 -0800

On Feb 24, 2009, at 1:26 PM, wsgd wrote:


I have tried your patch (on wireshark 1.1.3).
Seems to work well.

Explanations for other people :

On each field where an expert info has been declared,
a subtree Expert Info is added with
a field Severity with its value : Error, ...
a field Group with its value : Checksum, Malformed, ...


...and without the actual text of the expert information.
It would probably be more useful *with* the text of the expert information; as long as we're adding the expert information to the protocol tree, we might as well show what the problem is. 

I've attached a version of Jakub's patch that does that as well.
In addition, it might be useful to have a way to register particular expert information indications, so that you could search for packets with *specific* problems. For those, you might have a particular indication registered as a pseudo-field for a protocol, e.g. "tcp.bad_checksum" if we used expert information to report bad TCP checksums. That item could be added underneath the top-level "Expert Info" item, along with the severity and group. 


Index: epan/expert.c
===================================================================
--- epan/expert.c	(revision 27539)
+++ epan/expert.c	(working copy)
@@ -36,9 +36,15 @@
 
 
 static int expert_tap = -1;
+static int proto_expert = -1;
 static int highest_severity = 0;
 
+static int ett_expert = -1;
+static int ett_subexpert = -1;
 
+static int hf_expert_group = -1;
+static int hf_expert_severity = -1;
+
 const value_string expert_group_vals[] = {
 	{ PI_CHECKSUM,		"Checksum" },
 	{ PI_SEQUENCE,		"Sequence" },
@@ -65,10 +71,30 @@
 void
 expert_init(void)
 {
+	static hf_register_info hf[] = {
+		{ &hf_expert_group, 
+			{ "Group", "expert.group", FT_UINT32, BASE_HEX, VALS(expert_group_vals), 0, "Wireshark expert group", HFILL }
+		},
+		{ &hf_expert_severity, 
+			{ "Severity level", "expert.severity", FT_UINT32, BASE_HEX, VALS(expert_severity_vals), 0, "Wireshark expert severity level", HFILL }
+		}
+	};
+	static gint *ett[] = {
+		&ett_expert,
+		&ett_subexpert
+	};
+
 	if(expert_tap == -1) {
 		expert_tap = register_tap("expert");
 	}
 
+	if (proto_expert == -1) {
+		proto_expert = proto_register_protocol("Expert Info", "Expert", "expert");
+		proto_register_field_array(proto_expert, hf, array_length(hf));
+		proto_register_subtree_array(ett, array_length(ett));
+		proto_set_cant_toggle(proto_expert);
+	}
+
 	highest_severity = 0;
 }
 
@@ -108,6 +134,9 @@
 	int				ret;	/*tmp return value */
 	char			formatted[300];
 	expert_info_t	*ei;
+	proto_tree	*tree;
+	proto_item	*ti;
+	proto_tree	*expert_tree;
 
 
 	/* if this packet isn't loaded because of a read filter, don't output anything */
@@ -132,9 +161,19 @@
 	ei->summary		= ep_strdup(formatted);
 	ei->pitem       = NULL;
 
+	tree = proto_item_add_subtree(pi, ett_expert);
+	ti = proto_tree_add_protocol_format(tree, proto_expert, NULL, 0, 0, "Expert Info (%s/%s): %s", 
+		val_to_str(severity, expert_severity_vals, "?%u?"),
+		val_to_str(group, expert_group_vals, "?%u?"),
+		formatted);
+
+	expert_tree = proto_item_add_subtree(ti, ett_subexpert);
+	proto_tree_add_uint(expert_tree, hf_expert_severity, NULL, 0, 0, severity);
+	proto_tree_add_uint(expert_tree, hf_expert_group, NULL, 0, 0, group);
+
 	/* if we have a proto_item (not a faked item), set expert attributes to it */
 	if(pi != NULL && pi->finfo != NULL) {	
-        ei->pitem       = pi;
+		ei->pitem       = pi;
 		expert_set_item_flags(pi, group, severity);
 	}