Re: [Wireshark-dev] Mentioning encapsulation type in Protocol column
On 03/13/12 23:07, Martin Kaiser wrote: > Hi Lori and all, > > Thus wrote Lori Jakab (lja...@ac.upc.edu): > >> AFAIK, currently the protocol displayed in the Protocol column of >> Wireshark is that of the last dissector called on the packet. This makes >> it difficult to distinguish among packets with or without some type of >> encapsulation, unless filtering is employed. That is, a "regular" ICMP >> packet and a GRE encapsulated ICMP packet are both simply listed as ICMP. >> It would be a great feature to be able to see at a glance, when >> monitoring all traffic (especially with tshark), which packets are GRE >> or LISP (or any other encapsulating header) encapsulated. So, with the >> example above, instead of showing just ICMP, the Protocol field would >> display ICMP/GRE or ICMP/LISP. >> Is this possible with the current API? > probably not in the protocol column. Most (if not all) dissectors call > col_set_str(pinfo->cinfo, COL_PROTOCOL, "my protocol"); and clear the > previous content. > > I just tried defining a custom column as follows > - select any packet > - open "Frame" in the tree > - select "Protocols in Frame" > - right click, "Apply as column" > > That'll give you a colon-separated list of protocols in the column. > Hopefully, that's what you need. Thanks Martin, I didn't know about this, and it is certainly helpful, but a bit too verbose. Ideally I would only like to see the last protocol (as it is now) + the encapsulation protocol, if there is one. I take this is not possible right now. Would it be possible to enable protocols to define themselves as tunneling/encapsulating protocols, and change the implementation to take this into account? Wireshark could add its string it after the one set in the Protocol column, for PDUs found after parsing said protocol type. Regards, -Lori ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Mentioning encapsulation type in Protocol column
Hi Lori and all, Thus wrote Lori Jakab (lja...@ac.upc.edu): > AFAIK, currently the protocol displayed in the Protocol column of > Wireshark is that of the last dissector called on the packet. This makes > it difficult to distinguish among packets with or without some type of > encapsulation, unless filtering is employed. That is, a "regular" ICMP > packet and a GRE encapsulated ICMP packet are both simply listed as ICMP. > It would be a great feature to be able to see at a glance, when > monitoring all traffic (especially with tshark), which packets are GRE > or LISP (or any other encapsulating header) encapsulated. So, with the > example above, instead of showing just ICMP, the Protocol field would > display ICMP/GRE or ICMP/LISP. > Is this possible with the current API? probably not in the protocol column. Most (if not all) dissectors call col_set_str(pinfo->cinfo, COL_PROTOCOL, "my protocol"); and clear the previous content. I just tried defining a custom column as follows - select any packet - open "Frame" in the tree - select "Protocols in Frame" - right click, "Apply as column" That'll give you a colon-separated list of protocols in the column. Hopefully, that's what you need. Best regards, Martin ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Mentioning encapsulation type in Protocol column
Hi, AFAIK, currently the protocol displayed in the Protocol column of Wireshark is that of the last dissector called on the packet. This makes it difficult to distinguish among packets with or without some type of encapsulation, unless filtering is employed. That is, a "regular" ICMP packet and a GRE encapsulated ICMP packet are both simply listed as ICMP. It would be a great feature to be able to see at a glance, when monitoring all traffic (especially with tshark), which packets are GRE or LISP (or any other encapsulating header) encapsulated. So, with the example above, instead of showing just ICMP, the Protocol field would display ICMP/GRE or ICMP/LISP. Is this possible with the current API? I couldn't find a way to do this. If not, would it be easy to implement? And if there is no interest among the main developers to provide this feature, would a patch implementing this be accepted? Would someone mentor work on such a patch? Thanks, -Lori Jakab author of the LISP dissector ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe