Re: How to call a sub-dissector many times without knowing the exact data size

[Guy Harris <guy () alum mit edu>]

On Jan 31, 2015, at 1:46 PM, wsgd <wsgd () free fr> wrote:

> I want to call a sub-dissector many times. 
> I know the total size of my data. 
> I do NOT know the size to give to the sub-dissector. 
> The sub-dissector will know (by itself) the size to dissect. 
>
> The corresponding scheme from the parent dissector point of view : 
>
> |-----------------------------------Packet data (total size is known)--------------------------------| 
> |--Parent dissector--|--sub-dissector 1 (size is unknown)--|...|--sub-dissector N (size is unknown)--| 
>
>
> The sub-dissector will be called by dissector_try_uint (or call_dissector or eventually dissector_try_heuristic). 
>
>
> Question 1) 
> Is it possible to call dissector_try_uint (or ...) with more data than needed by the sub-dissector ? 

Yes.

> Question 2) 
> How to know how many bytes have been dissected by the sub-dissector ? 

Have the sub-dissector be a "new-style" dissector, which is expected to return the number of bytes of data that it 
dissected.

For "old-style" dissectors, which do not return a value, the dissector-calling mechanism will return 
tvb_captured_length(), so it appears as if the entire tvbuff handed to it was dissected.

dissector_try_uint(), call_dissector(), etc. return the return value of a new-style dissector or the tvbuff captured 
length of an old-style dissector.

Note that a new-style dissector can return 0, which is assumed to mean "this isn't a packet for my protocol".

This does *not* work for heuristic dissectors.  Perhaps heuristic dissectors could be changed to return a 
bytes-dissected value rather than a Boolean, with 0 meaning "I dissected nothing because this isn't a packet for my 
protocol"; I think there were cases for non-heuristic dissectors where nothing is dissected but the dissection was 
valid, e.g. an RPC-like protocol where a reply has no data at the RPC layer but has data at the layer of the particular 
RPC protocol being used, and I think I discovered that when trying to make all dissectors new-style dissectors, but I 
can't remember what I found.

For a heuristic dissector, however, the dissector has to look at *some* data in order to determine whether the packet 
is for its protocol or not, so presumably it could never return 0 if the packet is for its protocol.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe