TreeItem
s represent information in the packet details pane of Wireshark, and the packet details view of TShark.
A TreeItem
represents a node in the tree, which might also be a subtree and have a list of children.
The children of a subtree have zero or more siblings which are other children of the same TreeItem
subtree.
During dissection, heuristic-dissection, and post-dissection, a root TreeItem
is passed to dissectors as the third argument of the function
callback (e.g., myproto.dissector(tvbuf,pktinfo,root)
).
In some cases the tree is not truly added to, in order to improve performance.
For example for packets not currently displayed/selected in Wireshark’s visible
window pane, or if TShark isn’t invoked with the -V
switch. However the
"add" type TreeItem
functions can still be called, and still return TreeItem
objects - but the info isn’t really added to the tree. Therefore you do not
typically need to worry about whether there’s a real tree or not. If, for some
reason, you need to know it, you can use the TreeItem.visible
attribute getter
to retrieve the state.
Adds a new child tree for the given ProtoField
object to this tree item,
returning the new child TreeItem
.
Unlike TreeItem:add()
and TreeItem:add_le()
, the ProtoField
argument
is not optional, and cannot be a Proto
object. Instead, this function always
uses the ProtoField
to determine the type of field to extract from the
passed-in TvbRange
, highlighting the relevant bytes in the Packet Bytes pane
of the GUI (if there is a GUI), etc. If no TvbRange
is given, no bytes are
highlighted and the field’s value cannot be determined; the ProtoField
must
have been defined/created not to have a length in such a case, or an error will
occur. For backwards-compatibility reasons the encoding
argument, however,
must still be given.
Unlike TreeItem:add()
and TreeItem:add_le()
, this function performs both
big-endian and little-endian decoding, by setting the encoding
argument to
be ENC_BIG_ENDIAN
or ENC_LITTLE_ENDIAN
.
The signature of this function:
tree_item:add_packet_field(proto_field [,tvbrange], encoding, ...)
This function returns more than just the new child TreeItem
.
The child is the first return value, so that function chaining will still work; but it
also returns more information. The second return is the value of the extracted field
(i.e., a number, UInt64
, Address
, etc.). The third return is is the offset where
data should be read next. This is useful when the length of the field is not known in
advance. The additional return values may be null if the field type is not well supported
in the Lua API.
This function can extract a ProtoField
of type ftypes.BYTES
or ftypes.ABSOLUTE_TIME
from a string in the TvbRange
in ASCII-based and similar
encodings. For example, a ProtoField
of ftypes.BYTES
can be extracted from a TvbRange
containing the ASCII string "a1b2c3d4e5f6", and it will correctly decode the ASCII both in the
tree as well as for the second return value, which will be a ByteArray
.
To do so, you must set the encoding
argument of this function to the appropriate string ENC_*
value, bitwise-or’d (or added) with the ENC_STR_HEX
value and one or more ENC_SEP_XXX
values
indicating which encodings are allowed. For ftypes.ABSOLUTE_TIME
, one of the ENC_ISO_8601_*
encodings or ENC_IMF_DATE_TIME
must be used, and the second return value is a NSTime
.
Only single-byte ASCII digit string encodings such as ENC_ASCII
and ENC_UTF_8
can be used for this.
For example, assuming the Tvb
named “tvb” contains the string "abcdef"
(61 62 63 64 65 66 in hex):
-- this is done earlier in the script local myfield = ProtoField.new("Transaction ID", "myproto.trans_id", ftypes.BYTES) myproto.fields = { myfield } -- this is done inside a dissector, post-dissector, or heuristic function -- child will be the created child tree, and value will be the ByteArray "abcdef" or nil on failure local child, value = tree:add_packet_field(myfield, tvb:range(0,6), ENC_UTF_8 + ENC_STR_HEX + ENC_SEP_NONE)
TvbRange
of bytes in the packet this tree item covers/represents.
TvbRange
.
TreeItem
.
The new child TreeItem
, the field’s extracted value or nil, and offset or nil.
Adds a child item to this tree item, returning the new child TreeItem
.
If the ProtoField
represents a numeric value (int, uint or float), then it’s treated as a Big Endian (network order) value.
This function has a complicated form: 'treeitem:add([protofield,] [tvbrange,] value], label)', such that if the first
argument is a ProtoField
or a Proto
, the second argument is a TvbRange
, and a third argument is given, it’s a value;
but if the second argument is a non-TvbRange
, then it’s the value (as opposed to filling that argument with 'nil',
which is invalid for this function). If the first argument is a non-ProtoField
and a non-Proto
then this argument can
be either a TvbRange
or a label, and the value is not in use.
local proto_foo = Proto("foo", "Foo Protocol") proto_foo.fields.bytes = ProtoField.bytes("foo.bytes", "Byte array") proto_foo.fields.u16 = ProtoField.uint16("foo.u16", "Unsigned short", base.HEX) function proto_foo.dissector(buf, pinfo, tree) -- ignore packets less than 4 bytes long if buf:len() < 4 then return end -- ############################################## -- # Assume buf(0,4) == {0x00, 0x01, 0x00, 0x02} -- ############################################## local t = tree:add( proto_foo, buf() ) -- Adds a byte array that shows as: "Byte array: 00010002" t:add( proto_foo.fields.bytes, buf(0,4) ) -- Adds a byte array that shows as "Byte array: 313233" -- (the ASCII char code of each character in "123") t:add( proto_foo.fields.bytes, buf(0,4), "123" ) -- Adds a tree item that shows as: "Unsigned short: 0x0001" t:add( proto_foo.fields.u16, buf(0,2) ) -- Adds a tree item that shows as: "Unsigned short: 0x0064" t:add( proto_foo.fields.u16, buf(0,2), 100 ) -- Adds a tree item that shows as: "Unsigned short: 0x0064 ( big endian )" t:add( proto_foo.fields.u16, buf(1,2), 100, nil, "(", nil, "big", 999, nil, "endian", nil, ")" ) -- LITTLE ENDIAN: Adds a tree item that shows as: "Unsigned short: 0x0100" t:add_le( proto_foo.fields.u16, buf(0,2) ) -- LITTLE ENDIAN: Adds a tree item that shows as: "Unsigned short: 0x6400" t:add_le( proto_foo.fields.u16, buf(0,2), 100 ) -- LITTLE ENDIAN: Adds a tree item that shows as: "Unsigned short: 0x6400 ( little endian )" t:add_le( proto_foo.fields.u16, buf(1,2), 100, nil, "(", nil, "little", 999, nil, "endian", nil, ")" ) end udp_table = DissectorTable.get("udp.port") udp_table:add(7777, proto_foo)
ProtoField
field or Proto
protocol object to add to the tree.
TvbRange
of bytes in the packet this tree item covers/represents.
The new child TreeItem.
Adds a child item to this tree item, returning the new child TreeItem
.
If the ProtoField
represents a numeric value (int, uint or float), then it’s treated as a Little Endian value.
This function has a complicated form: 'treeitem:add_le([protofield,] [tvbrange,] value], label)', such that if the first
argument is a ProtoField
or a Proto
, the second argument is a TvbRange
, and a third argument is given, it’s a value;
but if the second argument is a non-TvbRange
, then it’s the value (as opposed to filling that argument with 'nil',
which is invalid for this function). If the first argument is a non-ProtoField
and a non-Proto
then this argument can
be either a TvbRange
or a label, and the value is not in use.
The new child TreeItem.
Sets the text of the label.
This used to return nothing, but as of 1.11.3 it returns the same tree item to allow chained calls.
The same TreeItem.
Appends text to the label.
This used to return nothing, but as of 1.11.3 it returns the same tree item to allow chained calls.
The same TreeItem.
Prepends text to the label.
This used to return nothing, but as of 1.11.3 it returns the same tree item to allow chained calls.
The same TreeItem.
Sets the expert flags of the item and adds expert info to the packet.
This function does not create a truly filterable expert info for a protocol.
Instead you should use TreeItem.add_proto_expert_info()
.
Note: This function is provided for backwards compatibility only, and should not
be used in new Lua code. It may be removed in the future. You should only
use TreeItem.add_proto_expert_info()
.
PI_CHECKSUM
,
PI_SEQUENCE
,
PI_RESPONSE_CODE
,
PI_REQUEST_CODE
,
PI_UNDECODED
,
PI_REASSEMBLE
,
PI_MALFORMED
,
PI_DEBUG
,
PI_PROTOCOL
,
PI_SECURITY
,
PI_COMMENTS_GROUP
,
PI_DECRYPTION
,
PI_ASSUMPTION
,
PI_DEPRECATED
,
PI_RECEIVE
,
PI_INTERFACE
,
or PI_DISSECTOR_BUG
.
PI_COMMENT
,
PI_CHAT
,
PI_NOTE
,
PI_WARN
,
or PI_ERROR
.
The same TreeItem.
Sets the expert flags of the tree item and adds expert info to the packet.
ProtoExpert
object to add to the tree.
The same TreeItem.
Sets the expert flags of the tree item and adds expert info to the packet
associated with the Tvb
or TvbRange
bytes in the packet.
ProtoExpert
object to add to the tree.
The same TreeItem.
Marks the TreeItem
as a generated field (with data inferred but not contained in the packet).
This used to return nothing, but as of 1.11.3 it returns the same tree item to allow chained calls.
true
sets the TreeItem
generated flag, else clears it (default=true)
The same TreeItem.
Marks the TreeItem
as a hidden field (neither displayed nor used in filters).
Deprecated
This used to return nothing, but as of 1.11.3 it returns the same tree item to allow chained calls.
true
sets the TreeItem
hidden flag, else clears it. Default is true
.
The same TreeItem.
Set TreeItem
's length inside tvb, after it has already been created.
This used to return nothing, but as of 1.11.3 it returns the same tree item to allow chained calls.
The same TreeItem.
Checks if a ProtoField
or Dissector
is referenced by a filter/tap/UI.
If this function returns false
, it means that the field (or dissector) does not need to be dissected
and can be safely skipped. By skipping a field rather than dissecting it, the dissector will
usually run faster since Wireshark will not do extra dissection work when it doesn’t need the field.
You can use this in conjunction with the TreeItem.visible attribute. This function will always return true when the TreeItem is visible. When it is not visible and the field is not referenced, you can speed up the dissection by not dissecting the field as it is not needed for display or filtering.
This function takes one parameter that can be a ProtoField
or Dissector
.
The Dissector
form is useful when you need to decide whether to call a sub-dissector.
ProtoField
or Dissector
to check if referenced.
A boolean indicating if the ProtoField/Dissector is referenced
Returns string debug information about the TreeItem
.
Mode: Retrieve or assign.
Set/get the TreeItem
's display string (string).
For the getter, if the TreeItem has no display string, then nil is returned.
Mode: Retrieve only.
Get the TreeItem
's subtree visibility status (boolean).
Mode: Retrieve or assign.
Set/get the TreeItem
's generated state (boolean).
Mode: Retrieve or assign.
Set/get TreeItem
's length inside tvb, after it has already been created.