wireshark-dev August 2010 archive
Main Archive Page > Month Archives  > wireshark-dev archives
wireshark-dev: Re: [Wireshark-dev] Tshark -z proto, colinfo, dns

Re: [Wireshark-dev] Tshark -z proto, colinfo, dns.qry.type does not show the resolved value

From: Stephen Fisher <steve_at_nospam>
Date: Tue Aug 17 2010 - 22:45:56 GMT
To: Developer support list for Wireshark <wireshark-dev@wireshark.org>

On Tue, Aug 17, 2010 at 9:54 AM, Anders Broman <a.broman@telia.com> wrote:

> I'm getting the value but not the value_string "translation"

The function protocolinfo_packet() in tap-protocolinfo.c calls
proto_construct_match_selected_string() in epan/proto.c and displays
its result. According to the comment above that function, "This
function indicates whether it's possible to construct a "match
selected" display filter string for the specified field, returns an
indication of whether it's possible, and, if it's possible and
"filter" is non-null, constructs the filter and sets "*filter" to
point to it."

So the reason that the translation doesn't show up is how that
function works, which I assume is the same function that is used to
build a display filter when right-clicking on an item in the proto
tree and choosing Apply As Filter. The result is a display filter of
"dns.qry.type == 0x000c" even though "dns.qry.type == ptr" would work
too. I've often thought that it would be nice, at least in some
cases, for it to use the value string's text instead of the numerical
value in the display filter. However, I'm not sure how well that
would work with multiple word strings.

The best solution may be to use a different function, or add a
paramter to that function as to whether it should be translated to the
text value from the value string.
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev