Wireshark-users: Re: [Wireshark-users] Dissecting packet details field by field
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 14 Jul 2017 16:19:27 -0700
(Redirecting to the developer list, as per Jeff Morriss's suggestion; it's the right place for questions about the Wireshark code base.  CCing wireshark-users in case you're not subscribed to wireshark-dev - if you're not, you should subscribe.)

On Jul 14, 2017, at 5:38 AM, David Schaeffer <david.schaeffer2@xxxxxxxxx> wrote:

>> On Wed, Jul 12, 2017 at 1:42 PM, David Schaeffer <david.schaeffer2@xxxxxxxxx wrote:
>> 
>>> I'm currently working on pulling specific data from a packet once they've
>>> clicked on some packet detail. For example, if the user clicks on a bit
>>> code in the packet body, I want to also pull the source IP address of that
>>> packet. Is there a way to search the packet body by field name or pulling
>>> the packet details into an object of some sort to parse this information?
>>> Thanks for any assistance you can offer in this matter.
>> 
>> Can you give a bit more context?  I assume that this is the context of
>> writing a protocol dissector?  What are you planning to do with, for
>> example, the IP address?
> 
> Sure. So the goal of this is to allow us to graph bit codes from a packet that has already be dissected by a custom packet dissector. We're making it so a user can right-click on the bit code they would like to graph, select graph, and it'll bring up the IOGraph with that data, 0 or 1.

So you'd right click on a particular field in the protocol details pane, get a menu with "Graph" as one of the items, and it'd pop up an I/O graph for that field?

There's currently no mechanism for that in Wireshark, but it might be a useful *general* addition to Wireshark.

> The problem is we have multiple PLCs sending the same bit codes so just grabbing a filter for solely the bit code doesn't work, as it pulls from every PLC.
> I need to grab the IP address with it to track the specific bit code from that specific PLC.

*That* would require adding the ability to register a per-field callback, with the default being one that causes a "standard" I/O graph to be popped up, and with your dissector specifying a callback grabbing the IP address and the value of the bit code.  That might call the "draw an I/O graph" code with another callback specified; that callback would indicate whether to use the packet or not.