Wireshark mailing list archives

Re: Add computed bytes of different length

From: Kevin Cox <kevincox () kevincox ca>
Date: Wed, 04 Jun 2014 12:12:27 -0400

On 04/06/14 10:24, Anders Broman wrote:

One option is to read the bytes from the tvb to a buffer manipulate the bytes and make a new tvb with the manipulated 
bytes in the buffer and then dissect that new tvb.
Like uncompressing something and  then dissect the content of the uncompressed result.If it's just a few bytes that 
may not be feasible I suppose.


I tried this using tvb_new_child_real_data_ but the highlighted area in
wireshark seemed to be the first n bytes of the parent tvb.  I don't
know how to link it back where the data actually came from.

If the encoded stuff really is a string "string coming from the wrong place in the packet" you might want to add a 
new string encoding type and add it as a string
With ENC_MY_STRING_ENCODING.


This is possible but I'm not sure it would be ideal.  I will explain my
use case a bit more.

I have a "blob" type in my protocol that has some metadata such as
length and type and I want to create a generic parser function that can
be used from multiple locations in my protocol.

I'm thinking that the ideal output would contain an parent item of a
type passed into my function.  This would have the value of the blob
content so it can be filtered on.  However I want it to highlight the
whole source of the blob in the "packet view".

Then this item would have expert children such as length, type and data
which would point to the actual pieces inside the structure.

I can get most of this using a FT_NONE or text item with custom
formatting however that will leave me unable to filter the field.

Is this the best approach?  Or would a different method be better.  I
did a similar dissection of a string and am very pleased with the
output, however because the source and value lengths are tied together
for bytes objects I don't know how to implement it.

Thanks,
Kevin

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Add computed bytes of different length Kevin Cox (Jun 04)
- Re: Add computed bytes of different length Anders Broman (Jun 04)
  - Re: Add computed bytes of different length Kevin Cox (Jun 04)
    - Re: Add computed bytes of different length Evan Huus (Jun 04)
    - Re: Add computed bytes of different length Kevin Cox (Jun 04)