Add bitfield to dissection tree

Wireshark has a limitation in the Lua API. It only supports bitfields i.e. int fields with mask, when added to a Proto by setting Proto.fields, like thus:

-- create myproto protocol and its fields
p_myproto = Proto ("myproto","My Protocol")
local f_bitfield = ProtoField.uint8("myproto.bitfield", "Command", base.HEX,
  {[0]="Normal Packet", [1]="Last Packet"}, 0x40)
p_myproto.fields = {f_bitfield}

This is cumbersome if you have a large protocol with several bitfields, you’ll have to add all of them up front. Here’s a helper function to add bitfields to the dissection tree. Its only limitation is that Wireshark will highlight all the octets that contain the bitfield, if you enable Bit View in the lowest (third) pane, Wireshark will not highlight only the bits pertaining to the bitfield.

function bitfield_add(buf, subtree, offset, size, bitfieldstart, bitfieldlen,
name, valuestring, desc, format)
    local val = buf(offset, size):bitfield(bitfieldstart, bitfieldlen)
    local binary=""
    local i = bitfieldlen - 1
    local intval = val

        local result = intval % 2^i
        if result ~= intval then
            binary = binary.."1"
            binary = binary.."0"
        intval = result
        i = i - 1
    until (i < 0)

    local dotted = string.rep(".", bitfieldstart)..binary
      ..string.rep(".", size*8-bitfieldstart-bitfieldlen)

    local chunked = ""
    for i = 0, size do
        chunked = chunked..string.sub(dotted, 8*i+1, 8*i+4)
          .." "..string.sub(dotted, 8*i+5, 8*i+8).." "

    desc = chunked.." = "..desc
    if format ~= nil then
        desc = desc..": "..string.format(format, val)

    if valuestring ~= nil then
        if valuestring[val] ~= nil then
            desc = desc.." ["..valuestring[val].."]"

    subtree:add(ProtoField.uint8(name), buf(offset, size), desc)



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s