I have been implementing some extra categories in the severity and group level
to help categorize events that happen in packet captures in my local wireshark
source tree.
For example, I've added PI_UNEXPECTED, PI_DEGRADED, PI_FAIL, and PI_FATAL, and
added PI_INTEGRITY and PI_OPERATION to the g
e);
Receive_Frequency(label, value);
if () {
expert_add_info(pinfo, ti, &ei_);
}
However, since it's processor intensive and error prone to convert to a
string only to parse the string back to floating point, you'd probably be
better off retrieving the uint64_t value and pass
I have a question whether I can get the dissected string of the BASE_CUSTOM
header field so that I can do analysis on it and convert it to floating point
to do range analysis so I can issue an expert info if the value is valid but
out of range.
{
&hf_Receive_Frequency,
{
ll(label_str, bitfield_byte_length, hfinfo, out);
}
}
That should get someone in the ballpark if there's interest in pursuing this
feature further. I'm sure there's more stuff that could be tweaked, but this
works for me at the moment.
Thanks,
John D.
>Message: 1
>Da
I've recently been doing a lot of enums that have multiple illegal values, and
the illegal value shouldn't be displayed as "Unknown" as it's hard coded in
proto.c (in 3.6.x).
Any chance you could go for an attribute to signal that -1 can be used as the
name of the fall-through text if defined?
charset=us-ascii
>
>On Nov 20, 2020, at 11:02 AM, John Dill wrote:
>
>> Not exactly. What I'm looking to do is to merge our existing 1553 capture
>> C code and wireshark capture code (inspired from tshark or dumpcap) into
>> the same application.
>>
>&
>From: Graham Bloice
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] wireshark capture/filtering question
>Message-ID:
>
>Content-Type: text/plain; charset="utf-8"
>
>On Fri, 20 Nov 2020 at 14:49, John Dill wrote:
>
>
I've had some recent discussions about adding some network capture to our
avionics data capture dashboard program. Currently, the architecture uses a
Java program as the GUI and a TCP socket interface for playback/record control
and data with a C program capturing 1553 data. The C program has
>Message: 2
>Date: Mon, 2 Nov 2020 16:04:21 +
>From: Graham Bloice
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] Building Wireshark 3.4.0 documentation on
>Windows
>Message-ID:
>
>Content-Type: text/plain; charset="utf-8"
>
>On Mon, 2 Nov 2020 at 15:
I've been unable to build the NSIS package for Wireshark 3.0 and one of the
issues that I've traced it down to the following:
3>CUSTOMBUILD : warning : failed to load external entity "custom_layer_chm.xsl"
[C:\Users\dillja\Desktop\wsbuild64\docbook\user_guide_chm.vcxproj]
cannot parse custom
to get me past the previous error about FIPS.
Thanks,
John D.
____
From: John Dill
Sent: Tuesday, March 5, 2019 12:40 PM
To: Developer support list for Wireshark
Subject: Windows Platform FIPS error?
Trying to build 3.0 on Windows 10, x64 for first time. Ran
Trying to build 3.0 on Windows 10, x64 for first time. Ran into this error.
Not sure what the proper fix is, has anyone run into this yet? Could be
something driven by an IA issue since I'm not the master of my machine.
Thanks, John D.
---
C:\Users\dillja\Desktop\wsbuild64>cmake -G "Visual
forums. Maybe there's a quirk
between Cygwin vs Chocolately install environment
or versions being used, or maybe something else.
Any ideas?
Thanks,
John D.
From: John Dill
Sent: Tuesday, October 2, 2018 5:55 PM
To: Gerald Combs; Developer support list
Ack, should have typed
@echo off
C:\cygwin64\bin\ruby.exe /bin/asciidoctor %*
for asciidoctor.bat
___
Sent via:Wireshark-dev mailing list
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://w
>From: Gerald Combs
>Sent: Tuesday, October 2, 2018 3:39 PM
>To: John Dill; Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] Attempted to build NSIS installer for 2.6.3
>
>What do `file /bin/asciidoctor` and `head -n1 /bin/asciidoctor` (assuming that
>c:
program.
Any ideas why this execute_process CMake command isn't working?
Thanks,
John D.
From: John Dill
Sent: Tuesday, October 2, 2018 11:26 AM
To: Gerald Combs; Developer support list for Wireshark
Cc: graham.blo...@trihedral.com
Subject: Re: [Wireshark-dev] Attempted to
>From: Gerald Combs
>Sent: Monday, October 1, 2018 3:30 PM
>To: Developer support list for Wireshark; John Dill
>Subject: Re: [Wireshark-dev] Attempted to build NSIS installer for 2.6.3
>
>On 10/1/18 10:57 AM, John Dill wrote:
>> I'm trying to build an installer f
I'm trying to build an installer for Wireshark 2.6.3 on Windows using NSIS and
I'm getting the following when I run
msbuild /m /p:Configuration=RelWithDebInfo nsis_package.vcxproj
Here is the commands I used before hand:
set CYGWIN=nodosfilewarning
set WIRESHARK_LIB_DIR=C:\Wireshark-win64-libs-
ector that implements a "pino"? I
read the README.dissector
section 2.9, but it wasn't enough description for me to grok it enough to know
how to implement one.
>Date: Wed, 25 Oct 2017 14:29:14 -0700
>From: Guy Harris
>To: Developer support list for Wireshark
>Subj
I just happened to turn on console printing to troubleshoot a different problem
and I'm getting a couple of interesting messages when I change my protocol
preferences.
Duplicate dissectors (anonymous) and (anonymous) for protocol xxx in dissector
table tcp.port
Protocol is already registere
I'm trying to run a Wireshark installer I build from Qt 5.8.0, 32-bit, for
Wireshark 2.4.1 on a Windows 10 machine with Visual Studio 2015. It runs fine
when I execute run\RelWithDebInfo\Wireshark.exe on my local computer. The
installer needs to run on Vista 32-bit (lab computer) and the insta
x27;s Guide Section 2.2 Win32/64: Step-by-Step
>>Guide<https://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWin32.html>
>
>Christopher Lusardi
>Engility Corporation
>43880 Commerce Avenue
>Hollywood, MD 20636
>301-373-9340 Ext.290
I'm actually work at Pax River, so
>Message: 1
>Date: Mon, 18 Sep 2017 22:25:09 +0200
>From: Jaap Keuter
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] causes for losing COL_PROTOCOL or
> COL_INFO data
>Message-ID: <88d2443f-e363-4811-a5dc-c2bb18f2c...@xs4all.nl>
>Content-Type: text/plain; charset=ut
>Message: 1
>Date: Sat, 16 Sep 2017 13:38:31 +0100
>From: Peter Wu
>To: John Dill ,
>"wireshark-dev@wireshark.org"
>Subject: Re: [Wireshark-dev] causes for losing COL_PROTOCOL or
>COL_INFO data
>Message-ID: <288553dc-6272-4581-a5e5-15b933be7.
I'm setting the column fields and they appear to be set fine when I first open
Wireshark, but when I apply a packet filter, I lose information from the fields
even though it appears that I'm still calling the same col_* functions in the
dissection. Then when I remove the filter expression, and
how to modify the source enough to see if I can make it work for
this use case. I already have a modified Wireshark repo for some minor
extensions already (BASE_SUPPRESS_BITFIELD to turn off those bitfield displays
for certain bitfields, and I have a "wor
stly, it'd be easier putting the units in the header field definition instead
of having a separate table of header field -> unit_name_string for these
FT_STRING types and doing the checking/formatting myself.
Does this idea seem compatible with proto.c?
Thanks,
John Dill
__
t who also does Wireshark
development. I believe we're getting Cisco stuff, but I'm not at management
level, so I don't really know what's coming down the pike yet.
Thanks for any suggestions,
John Dill
__
e much headway into applying a scale factor
usefully. I can kind of get the display working, but I've no clue how to
handle the filtering, e.g. if I convert the display to degrees, but the raw
data is in radians, I can't figure out how to
>Message: 1
>Date: Fri, 5 Aug 2016 14:47:59 +0100
>From: Graham Bloice
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] dissecting TCP packets with multiple PDUs
>
>>On 5 August 2016 at 14:08, John Dill wrote:
>>
>> I have a TCP protoc
I have a TCP protocol that sends multiple PDUs. So far, my dissector seems to
handle the cases where one PDU is split across multiple frames, and when
multiple PDUs are dissected in one frame. Unfortunately, I'm having issues
where the TCP dissection stops if I have multiple PDUs that are spli
>Message: 3
>Date: Tue, 1 Sep 2015 09:45:14 -0400
>From: Hadriel Kaplan
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] Trying to submit a patch
>Message-ID:
>
>Content-Type: text/plain; charset=UTF-8
>
>I just tried pushing with https, and it works. But of course
I have finally got the time to port my changes to proto.h/proto.c over to the
master-1.12 version of wireshark and I'm getting stuck trying to submit a patch
for review.
I was not able to clone using the ssh method to download the latest git repo,
but I was able to clone using the https link.
1
>
>
>On May 8, 2015, at 7:06 AM, "John Dill" wrote:
>
>>> Message: 3
>>> Date: Thu, 7 May 2015 11:29:22 -0700
>>> From: Guy Harris
>>> To: Developer support list for Wireshark
>>> Subject: Re: [Wireshark-dev] proto.h extension
&
>Message: 3
>Date: Thu, 7 May 2015 11:29:22 -0700
>From: Guy Harris
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] proto.h extension
>Message-ID:
>Content-Type: text/plain; charset=iso-8859-1
>
>On May 7, 2015, at 8:13 AM, "John Dill&
>Message: 2
>Date: Thu, 7 May 2015 17:58:46 + (UTC)
>From: Christopher Maynard
>To: wireshark-dev@wireshark.org
>Subject: Re: [Wireshark-dev] proto.h extension
>Message-ID:
>Content-Type: text/plain; charset=us-ascii
>
>John Dill writes:
>
>> On a unrela
I have a couple of extensions that I created for the Wireshark baseline that
we're using (1.10.x). The diffs to proto.h and proto.c show the code changes
to add a couple of features that I've found useful, unit strings and hiding the
bits for bitmask header fields.
http://codepad.org/KTGdEL1t
utf-8"
>
>On 10 December 2014 at 18:53, John Dill wrote:
>
>>
>> >Message: 3
>> >Date: Wed, 10 Dec 2014 11:08:25 -0700
>> >From: Stephen Fisher
>> >To: Developer support list for Wireshark
>> >Subject: Re: [Wireshark-dev] Wha
: text/plain; charset=us-ascii
>
>On Wed, Dec 10, 2014 at 12:51:23PM -0500, John Dill wrote:
>
>> So what restrictions are there when you have a Wireshark plugin that
>> contains proprietary information (which can be of the do not export
>> variety) from the govt or cust
>Message: 2
>Date: Wed, 10 Dec 2014 15:13:08 +
>From: Anders Broman
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] What Wireshark base version to use for
> customization
>Message-ID:
> <43c5658ba3fb7b48a6f38eed0b6253f11aa7c...@esessmb105.ericsson.se>
>Cont
t/plain; charset=iso-8859-1
>
>
>On Jul 21, 2014, at 1:46 PM, "John Dill" wrote:
>
>> I have a TCP message (that I reverse engineered) that contains blocks of the
>> following type:
>>
>> -
>> | Data Type | 4 bytes
>>
apting its example to my scenario.
Can someone point me to a dissector that already implements something similar
to what I need, or give a simple loop on how to get the dissector to do what I
want?
Thanks,
John Dill
__
ee_set_representation_value' so that I can just use
'proto_tree_add_item' and be done with it.
Or perhaps I missed something completely obvious. Any
suggestions?
Thanks,
John Dill
___
Sent via:Wireshark-de
of the packet is
considered proprietary. In that sense, developing and releasing
the protocol dissector as a plugin allows to one to control the
code distribution without the need to maintain a fork of Wireshark.
For development purpo
TH,
get_xyz_pdu_len, dissect_xyz_tcp_pdu);
}
}
\endcode
In this scenario, if desegment is on, I get the protocol messages; if
it's off, it looks like unadorned TCP messages.
I'm just wondering what kind of expectations there are for TCP based
application l
conversations require fragments to be assembled. Can
someone offer some advice on how to structure the dissector registration
so that I can handle the TCP messages in this scenario. Is there a
dissector already developed that kind of matches this scenario that
I can glean some ideas from?
Thanks,
x27;d eventually get around to adapting it for the latest wireshark, but
it's kind of out of my scope of work at this time, so I don't know
when exactly that I'd get to it. And trying to add a scale factor may
change things since I need to merge that in and it'll probably en
he FT_FLOAT and FT_DOUBLE types should be as simple as adding the unit
string after the value in 'proto_custom_set' and 'proto_item_fill_label'.
It appears that some error condition checking happens in 'tmp_fld_check_assert'.
If I detect a bad combination of
t/plain; charset=iso-8859-1
>
>
>On Apr 9, 2014, at 11:01 AM, "John Dill" wrote
>(in a font that gets rendered as rather small characters in my mail reader -
> you might want to use larger type to help out those of us with aging eyes):
>
>>I have a common use case (hundr
m.mit.edu>
>Content-Type: text/plain; charset=iso-8859-1
>
>
>On Apr 9, 2014, at 2:06 PM, "John Dill" wrote:
>
>>I have several character data fields that happen to contain sections of
>>non-ascii binary data including nul characters. I'd like to get
, but each of the digits may use
1-4 bits, and there may be implicit offsets and different scaling factors for
each component in the data in the calculation itself, like adding an implicit
100 MHz to the frequency (as there is no 100 MHz digit to begin with).
Best regards,
John Dill
>Regards
ing label ends at the first nul character. I do not want
FT_BYTES because the characters themselves are the important data in the field.
Thanks,
John Dill
___
Sent via:Wireshark-dev mailing list
Archives:http:/
on to be able to search on
a header field whose condition assumes that the scaling factor has been
applied, i.e., the data is an integer and has a scaling factor of .25 and you
want to filter its value using a floating point value (probably quite difficult
I'm guessing)?
Thanks for any co
plain; charset=windows-1252
>
>> On Apr 4, 2014, at 10:43 AM, John Dill wrote:
>>
>> The Filter Expression dialog is the best place in Wireshark to locate the
>> data elements they are looking for, so it was mentioned as a "nice to have?.
>Oh well if it?s just the
>Message: 2
>Date: Fri, 4 Apr 2014 10:19:52 -0400
>From: Hadriel Kaplan
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] overriding dissector for port 8080
>Message-ID:
>Content-Type: text/plain; charset=windows-1252
>
>On Apr 4, 2014, a
ormat=flowed
>
>On 04/03/14 10:26, John Dill wrote:
>>
>> I have network traffic that uses TCP port 8080 for sending non-http data
>> (on a private network with its own custom application layer on top of
>> TCP an UDP). Is there a recommendation for how to override or
that could be used to hide protocols I
don't need in the Filter Expression (to reduce the list to simplify the
interface to users)?
Thanks,
John Dill
___
Sent via:Wireshark-dev mailing list
Archives:http://ww
>Message: 1
>Date: Fri, 21 Feb 2014 11:42:33 -0800
>From: Guy Harris
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] displaying header field without filtering
>Message-ID:
>Content-Type: text/plain; charset=iso-8859-1
>
>
>On Feb 21, 2014,
ression dialog, as they are not data of interest to
engineers and there are a ton of unused or Spare data elements.
I can use proto_tree_add_text to do what I need manually, but it's
not as centralized and it seems in general not recommended for
>Message: 5
>Date: Thu, 20 Feb 2014 12:33:04 -0800
>From: Guy Harris
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] displaying header field without filtering
>Message-ID:
>Content-Type: text/plain; charset=iso-8859-1
>
>
>On Feb 20, 2014
>Message: 2
>Date: Wed, 19 Feb 2014 19:03:57 -0500
>From: Evan Huus
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] displaying header field without filtering
>Message-ID:
>
>Content-Type: text/plain; charset=ISO-8859-1
>
>On Wed, Feb
n the plugin to visualize these Spare bytes or not.
I was able to do something like the following that seems to do what I want.
proto_tree_add_text(tree, tvb, offset + 1, 1, "Spare: 0x%02x",
tvb_get_guint8(tvb, offset + 1));
Can you explain in more detail why this is "strongly recom
see something about PROTO_ITEM_SET_HIDDEN, but it
doesn't look like it applies.
Thanks,
John Dill
___
Sent via:Wireshark-dev mailing list
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscri
>Message: 4
> Date: Wed, 13 Nov 2013 13:44:15 -0500
> From: "John Dill"
> To:
> Subject: Re: [Wireshark-dev] Adding install target to Makefile.nmake
> Message-ID:
>
>
>
> Content-Type: text/plain; charset="iso-8859-1"
>
&g
charset="iso-8859-1"
>
> On 13 November 2013 16:01, John Dill wrote:
>
> >
> > I added an install target for my protocol dissector plugin nmake file.
> > Simplifies the tedious step of copying it to the Wireshark/plugins folder
> > during development and
There is probably a smarter way to detect the version folder, but I didn't
bother to go down that path.
Best regards,
John Dill
<>___
Sent via:Wireshark-dev mailing list
Archives:http://www.wireshark.org/list
>Message: 6
>Date: Fri, 8 Nov 2013 23:14:28 +0530
>From: Sreejith M M
>To: wireshark-dev@wireshark.org
>Subject: [Wireshark-dev] Wireshark development setup Help
>Message-ID:
>
>Content-Type: text/plain; charset="iso-8859-1"
>
>I am trying to make a new dissector for wireshark. As part of
>Message: 1
>Date: Wed, 6 Nov 2013 13:12:04 -0800
>From: Guy Harris
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] adding IRIG time and time of day
>Message-ID:
>Content-Type: text/plain; charset=iso-8859-1
>
>
>On Nov 5, 2013, at 3:22 P
>Message: 2
>Date: Tue, 5 Nov 2013 09:19:15 -0800
>From: Guy Harris
>To: Developer support list for Wireshark
>Subject: Re: [Wireshark-dev] adding IRIG time and time of day
>Message-ID:
>Content-Type: text/plain; charset=iso-8859-1
>
>> We have a CNIC-A2P3 board installed in a Compact PCI chassi
rset=iso-8859-1
>
>
>On Nov 1, 2013, at 1:39 PM, John Dill wrote:
>
>> The timestamp is populated with a time of day starting with day 1 as Jan 1
>> 12:00:00am and wraps around at >>either day 365 or 366 which corresponds to
>> Dec 31, 11:59:59pm. One sli
rset=iso-8859-1
>
>
>On Nov 2, 2013, at 4:36 PM, "John Dill" wrote:
>
>>> On Nov 1, 2013 at 2:18:04 PM, Guy Harris wrote:
>>>
>>> What is the file format? Where does it store the IRIG time stamps?
>>
>> The file is NTAR (another na
>
>
>On Nov 1, 2013, at 1:39 PM, John Dill wrote:
>
>> I just finished installing the latest version of wireshark 1.10.2 and was
>> able to build it successfully for Windows 7 using the recommended procedure
>> in the developer's guide.
>>
>> On
I just finished installing the latest version of wireshark 1.10.2 and was able
to build it successfully for Windows 7 using the recommended procedure in the
developer's guide.
One of the things that I'd like to tweak is to add an IRIG time of day to the
list of Time Display Formats.
View ->
73 matches
Mail list logo
