Wireshark-dev: Re: [Wireshark-dev] Wireshark-Dev
From: David Schaeffer <david.schaeffer2@xxxxxxxxx>
Date: Sat, 15 Jul 2017 08:19:29 -0400
 
----------------------------------------------------------------------

Message: 1
Date: Fri, 14 Jul 2017 08:38:25 -0400
From: David Schaeffer <david.schaeffer2@xxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Digest, Vol 134, Issue 2
Message-ID:
        <CAFiRLmkJF-QhoidGpSD8Bh3QsRAR+OuC4croborjo1RDobsdWg@xxxxxxxail.com>
Content-Type: text/plain; charset="utf-8"

>
>
> On Wed, Jul 12, 2017 at 1:42 PM, David Schaeffer <
> david.schaeffer2@xxxxxxxxx
> > wrote:
>
> > Hi folks.
> >
> > I'm currently working on pulling specific data from a packet once they've
> > clicked on some packet detail. For example, if the user clicks on a bit
> > code in the packet body, I want to also pull the source IP address of
> that
> > packet. Is there a way to search the packet body by field name or pulling
> > the packet details into an object of some sort to parse this information?
> > Thanks for any assistance you can offer in this matter.
> >
>
> Can you give a bit more context?  I assume that this is the context of
> writing a protocol dissector?  What are you planning to do with, for
> example, the IP address?
> ***********************************************
>
Sure. So the goal of this is to allow us to graph bit codes from a packet
that has already be dissected by a custom packet dissector. We're making it
so a user can right-click on the bit code they would like to graph, select
graph, and it'll bring up the IOGraph with that data, 0 or 1. The problem
is we have multiple PLCs sending the same bit codes so just grabbing a
filter for solely the bit code doesn't work, as it pulls from every PLC. I
need to grab the IP address with it to track the specific bit code from
that specific PLC.

Currently, I've been abusing the clipboard and copy functions built in to
grab the filter for the field selected but as mentioned, it pulls every PLC
status. I'd like to grab whatever the user clicked on AND the source IP
address of said PLC while still keeping the code as generalized as possible
to push back to main. If there was some way to say ipaddress =
Foo.getFieldByName(sourceIP) or something along those lines, that would
resolve my issue.

I'm a junior dev, so it is quite possible I'm missing something obvious.
This is a large code base and my first experience with one as such.



Regards,

Dave
-------------- next part --------------

------------------------------

Message: 2
Date: Fri, 14 Jul 2017 15:19:34 -0400
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
To: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Digest, Vol 134, Issue 2
Message-ID:
        <CAKkq+FZc7+CjmJNb=UWWASkO6gsTUYjgR49pLo8RFcEDR0qzXg@xxxxxxxail.com>
Content-Type: text/plain; charset="utf-8"

On Fri, Jul 14, 2017 at 8:38 AM, David Schaeffer <david.schaeffer2@xxxxxxxxx
> wrote:

>
>> On Wed, Jul 12, 2017 at 1:42 PM, David Schaeffer <
>> david.schaeffer2@xxxxxxxxx
>> > wrote:
>>
>> > Hi folks.
>> >
>> > I'm currently working on pulling specific data from a packet once
>> they've
>> > clicked on some packet detail. For example, if the user clicks on a bit
>> > code in the packet body, I want to also pull the source IP address of
>> that
>> > packet. Is there a way to search the packet body by field name or
>> pulling
>> > the packet details into an object of some sort to parse this
>> information?
>> > Thanks for any assistance you can offer in this matter.
>> >
>>
>> Can you give a bit more context?  I assume that this is the context of
>> writing a protocol dissector?  What are you planning to do with, for
>> example, the IP address?
>> ***********************************************
>>
> Sure. So the goal of this is to allow us to graph bit codes from a packet
> that has already be dissected by a custom packet dissector. We're making it
> so a user can right-click on the bit code they would like to graph, select
> graph, and it'll bring up the IOGraph with that data, 0 or 1. The problem
> is we have multiple PLCs sending the same bit codes so just grabbing a
> filter for solely the bit code doesn't work, as it pulls from every PLC. I
> need to grab the IP address with it to track the specific bit code from
> that specific PLC.
>
> Currently, I've been abusing the clipboard and copy functions built in to
> grab the filter for the field selected but as mentioned, it pulls every PLC
> status. I'd like to grab whatever the user clicked on AND the source IP
> address of said PLC while still keeping the code as generalized as possible
> to push back to main. If there was some way to say ipaddress =
> Foo.getFieldByName(sourceIP) or something along those lines, that would
> resolve my issue.
>
> I'm a junior dev, so it is quite possible I'm missing something obvious.
> This is a large code base and my first experience with one as such.
>

[Just a side note: development questions are probably better sent to the
-dev list.]

Sounds like `pinfo->src` would work for you--i.e., it sounds like you
probably have access to `pinfo` where you are so you can pull the IP
address from there.
-------------- next part --------------
------------------------------

Message: 3
Date: Fri, 14 Jul 2017 16:19:27 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Cc: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Dissecting packet details field by
        field
Message-ID: <7973D44C-55F2-47AC-B243-BE7A3661DBBA@xxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

(Redirecting to the developer list, as per Jeff Morriss's suggestion; it's the right place for questions about the Wireshark code base.  CCing wireshark-users in case you're not subscribed to wireshark-dev - if you're not, you should subscribe.)

On Jul 14, 2017, at 5:38 AM, David Schaeffer <david.schaeffer2@xxxxxxxxx> wrote:

>> On Wed, Jul 12, 2017 at 1:42 PM, David Schaeffer <david.schaeffer2@xxxxxxxxx wrote:
>>
>>> I'm currently working on pulling specific data from a packet once they've
>>> clicked on some packet detail. For example, if the user clicks on a bit
>>> code in the packet body, I want to also pull the source IP address of that
>>> packet. Is there a way to search the packet body by field name or pulling
>>> the packet details into an object of some sort to parse this information?
>>> Thanks for any assistance you can offer in this matter.
>>
>> Can you give a bit more context?  I assume that this is the context of
>> writing a protocol dissector?  What are you planning to do with, for
>> example, the IP address?
>
> Sure. So the goal of this is to allow us to graph bit codes from a packet that has already be dissected by a custom packet dissector. We're making it so a user can right-click on the bit code they would like to graph, select graph, and it'll bring up the IOGraph with that data, 0 or 1.

So you'd right click on a particular field in the protocol details pane, get a menu with "Graph" as one of the items, and it'd pop up an I/O graph for that field?

There's currently no mechanism for that in Wireshark, but it might be a useful *general* addition to Wireshark.

> The problem is we have multiple PLCs sending the same bit codes so just grabbing a filter for solely the bit code doesn't work, as it pulls from every PLC.
> I need to grab the IP address with it to track the specific bit code from that specific PLC.

*That* would require adding the ability to register a per-field callback, with the default being one that causes a "standard" I/O graph to be popped up, and with your dissector specifying a callback grabbing the IP address and the value of the bit code.  That might call the "draw an I/O graph" code with another callback specified; that callback would indicate whether to use the packet or not.


------------------------------

Message: 4
Date: Fri, 14 Jul 2017 20:46:08 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Cc: Community support list for Wireshark
        <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] [Wireshark-dev] Dissecting packet
        details field by field
Message-ID: <85E63803-4FD3-43F5-980B-2F82EC3759D6@xxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

On Jul 14, 2017, at 4:19 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

> On Jul 14, 2017, at 5:38 AM, David Schaeffer <david.schaeffer2@xxxxxxxxx> wrote:
>
>> The problem is we have multiple PLCs sending the same bit codes so just grabbing a filter for solely the bit code doesn't work, as it pulls from every PLC.
>> I need to grab the IP address with it to track the specific bit code from that specific PLC.
>
> *That* would require adding the ability to register a per-field callback, with the default being one that causes a "standard" I/O graph to be popped up, and with your dissector specifying a callback grabbing the IP address and the value of the bit code.  That might call the "draw an I/O graph" code with another callback specified; that callback would indicate whether to use the packet or not.

Or the first callback would just specify the appropriate filter to use.  That'd probably be useful for other protocols as well; perhaps making the callback per-protocol would suffice.

------------------------------


>Sounds like `pinfo->src` would work for you--i.e., it sounds like you
probably have access to `pinfo` where you are so you can pull the IP
address from there.

I'll have to check, this may help. 

>So you'd right click on a particular field in the protocol details pane, get a menu with "Graph" as one of the items, and it'd pop up an I/O graph for that field?
>There's currently no mechanism for that in Wireshark, but it might be a useful *general* addition to Wireshark.

I actually implemented this already in my local copy of the code base. It has options for opening the default graph and graphing the selected bit code. (minus the part wher

>*That* would require adding the ability to register a per-field callback, with the default being one that causes a "standard" I/O graph to be popped up, and with your dissector specifying a callback grabbing the IP address and the value of the bit code.  That might call the "draw an I/O graph" code with another callback specified; that callback would indicate whether to use the packet or not.

I was speaking to someone else that we may have to involve the specific dissector. We are hoping to keep it generalized enough to use it for any protocol though. The common theme seems to be involving the dissector so I think I'll just start with ours and see if I can't expand it to the rest. 

Thanks for all the ideas and assistance! 



David Schaeffer