Wireshark mailing list archives
Re: Newbie question: what to make of some COTP decoding.
From: Bill Meier <wmeier () newsguy com>
Date: Wed, 01 Aug 2012 11:13:47 -0400
On 8/1/2012 9:34 AM, Andre Steenveld wrote:
Hi, I’m quite new to using wireshark and have a question about some output for the COTP protocol. I tried to find an answer in the wireshark documentation and in the archives but could not come up with a full answer.
I'm not familiar with the OSI protocols (COTP, etc) so all I can offer is based upon a quick look at the code.
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ositp.c?revision=43536&view=markup&sortby=date From packet-ositp.c ositp_decode_DT(...) { ... case LI_NORMAL_DT_CLASS_01 : tpdu_nr = tvb_get_guint8(tvb, offset + P_TPDU_NR_0_1); if ( tpdu_nr & 0x80 ) tpdu_nr = tpdu_nr & 0x7F; else fragment = TRUE; is_extended = FALSE; is_class_234 = FALSE; prev_dst_ref = p_get_proto_data (pinfo->fd, proto_clnp); if (!prev_dst_ref) { /* First COTP in frame - save previous dst_ref as offset */ prev_dst_ref = se_alloc (sizeof (guint32)); *prev_dst_ref = cotp_dst_ref; p_add_proto_data (pinfo->fd, proto_clnp, prev_dst_ref); } else if (cotp_frame_reset) { cotp_dst_ref = *prev_dst_ref; } cotp_frame_reset = FALSE; cotp_last_fragment = fragment; dst_ref = cotp_dst_ref; conv = find_conversation (pinfo->fd->num, &pinfo->src, &pinfo->dst,pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
if (conv) {/* Found a conversation, also use index for the generated dst_ref */
dst_ref += (conv->index << 16); } if (!fragment) { cotp_dst_ref++; register_frame_end_routine(cotp_frame_end); } break; It seems that in this case a dst ref is "generated" using the dst_ref + the 'conversation_index << 16'.The 'conversation_index' is simply a Wireshark internal number which is assigned in ascending order for each "conversation" (connection) encountered in a capture.
It also seems that there's some stuff going on about saving/retrieving dst_ref.
I've no idea what this is really about, but maybe it will make sense to you. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Newbie question: what to make of some COTP decoding. Andre Steenveld (Aug 01)
- Re: Newbie question: what to make of some COTP decoding. Bill Meier (Aug 01)
- Re: Newbie question: what to make of some COTP decoding. Stig Bjørlykke (Aug 01)