Wireshark mailing list archives
Re: How to call a sub-dissector many times without knowing the exact data size
From: Guy Harris <guy () alum mit edu>
Date: Sat, 31 Jan 2015 13:56:48 -0800
On Jan 31, 2015, at 1:46 PM, wsgd <wsgd () free fr> wrote:
I want to call a sub-dissector many times. I know the total size of my data. I do NOT know the size to give to the sub-dissector. The sub-dissector will know (by itself) the size to dissect. The corresponding scheme from the parent dissector point of view : |-----------------------------------Packet data (total size is known)--------------------------------| |--Parent dissector--|--sub-dissector 1 (size is unknown)--|...|--sub-dissector N (size is unknown)--| The sub-dissector will be called by dissector_try_uint (or call_dissector or eventually dissector_try_heuristic). Question 1) Is it possible to call dissector_try_uint (or ...) with more data than needed by the sub-dissector ?
Yes.
Question 2) How to know how many bytes have been dissected by the sub-dissector ?
Have the sub-dissector be a "new-style" dissector, which is expected to return the number of bytes of data that it dissected. For "old-style" dissectors, which do not return a value, the dissector-calling mechanism will return tvb_captured_length(), so it appears as if the entire tvbuff handed to it was dissected. dissector_try_uint(), call_dissector(), etc. return the return value of a new-style dissector or the tvbuff captured length of an old-style dissector. Note that a new-style dissector can return 0, which is assumed to mean "this isn't a packet for my protocol". This does *not* work for heuristic dissectors. Perhaps heuristic dissectors could be changed to return a bytes-dissected value rather than a Boolean, with 0 meaning "I dissected nothing because this isn't a packet for my protocol"; I think there were cases for non-heuristic dissectors where nothing is dissected but the dissection was valid, e.g. an RPC-like protocol where a reply has no data at the RPC layer but has data at the layer of the particular RPC protocol being used, and I think I discovered that when trying to make all dissectors new-style dissectors, but I can't remember what I found. For a heuristic dissector, however, the dissector has to look at *some* data in order to determine whether the packet is for its protocol or not, so presumably it could never return 0 if the packet is for its protocol. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Building wireshark on Win7 gives me the error about win32.mak not found Richard Sharpe (Jan 31)
- Re: Building wireshark on Win7 gives me the error about win32.mak not found Graham Bloice (Jan 31)
- Re: Building wireshark on Win7 gives me the error about win32.mak not found Richard Sharpe (Jan 31)
- Re: Building wireshark on Win7 gives me the error about win32.mak not found Richard Sharpe (Jan 31)
- Re: Building wireshark on Win7 gives me the error about win32.mak not found Richard Sharpe (Jan 31)
- How to call a sub-dissector many times without knowing the exact data size wsgd (Jan 31)
- Re: How to call a sub-dissector many times without knowing the exact data size Guy Harris (Jan 31)
- Re: Building wireshark on Win7 gives me the error about win32.mak not found Richard Sharpe (Jan 31)
- Re: Building wireshark on Win7 gives me the error about win32.mak not found Richard Sharpe (Jan 31)
- Re: Building wireshark on Win7 gives me the error about win32.mak not found Richard Sharpe (Jan 31)
- Re: Building wireshark on Win7 gives me the error about win32.mak not found Graham Bloice (Jan 31)