Wireshark 4.4.0rc1’s Custom Columns, (Thu, Aug 15th)

Category :

SANS Full Feed

Posted On :

In diary entry “A Wireshark Lua Dissector for Fixed Field Length Protocols“, I show how to use a protocol dissector I wrote in Lua to parse TCP data.

Wireshark 4.4.0 Release Candidate 1 was released, and it allows us to use field expressions as custom columns.

This means that some of the functionality that had to be implemented with a dissector, can now just be configured.

Take this example of fields Function, Direction, Counter, DataLength and Data, as defined with my custom Lua dissector:

Similar fields can now be configured via field expressions and custom columns:

By adding custom columns and field expressions.

For example, the field Function is the first byte of the TCP payload: tcp.payload[0]

Another example: field Counter is the third and fourth byte of the TCP payload: tcp.payload[2:2]

As you can see, the column values are displayed as bytes (hexadecimal).

I have not found a way to convert this to decimal integers.

If you have a solution, please post a comment.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.