Expert Info

The general idea behind the following "Expert Infos" is to have a better display of "uncommon" or "notable" network behaviour. This way, both novice and expert users will hopefully find probable network problems a lot faster, compared to scanning the packet list "manually".

For basic information what expert infos are and how to use them, please refer to the User's Guide.

Add an "Expert Info" to a Dissector

To add an expert info, dissectors call expert_add_info_format() as defined in epan/expert.h:

extern void
expert_add_info_format(packet_info *pinfo, proto_item *pi, int group,
        int severity, const char *format, ...);

There are some examples in common protocols (TCP, IP, HTTP, ...). A typical example will look like:

#include <epan/expert.h>

...

flags_item=proto_tree_add_uint(tree, hf_tcp_anaysis_duplicate_ack_frame,
        tvb, 0, 0, ta->dupack_frame);
expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_NOTE, "This is a TCP duplicate ack");

The proto_item (flags_item in this case) can be NULL if there's no associated protocol item available.

Remember: The tree variable might be NULL, so the call to expert_add_info_format() should not be inside any "if (tree)" block!

Severity levels

There are four severity levels (see epan/proto.h), in parentheses are the colors in which tree items will be marked:

A dissector developer selects which level a specific problem really has. The dissector might even use a preference setting to have a mapping between the "event" and the level to be displayed, so the user can decide which problem is interesting to him and which only annoys him. However, no dissector currently provide this functionality.

Example: a TCP zero window is at least uncommon on most networks. If a user has a scenario where this would appear often, he could be able to switch off a warning about this.

Hint: If you can't decide between two possible severity levels, choose the less important one! The topic you're currently working on seems probably more important than it will look like in a few weeks ;-)

Groups

The currently implemented groups can be found in epan/proto.h:

Probable ideas for further groups:

XXX - add more, but only if there's a real need for it! So be prepared for additions here ...

Summary text

This is a "printf like" free format text. Hint: Don't add "random" id's or alike to the text, otherwise the composite dialog will list all entries separately and therefore be less helpful.

To be done

Development/ExpertInfo (last edited 2010-02-18 20:48:00 by JaapKeuter)