Re: tvb_captured_length or tvb_reported_length?

[Pascal Quantin <pascal.quantin () gmail com>]

Hi Robert,

2015-09-02 19:33 GMT+02:00 Robert Cragie <robert.cragie () gridmerge com>:

> I am trying to understand the changes to the previous use of tvb_length().
> There are now two functions (and their associates):
>
> * tvb_captured_length()
> * tvb_reported_length()
>
> As far as I can tell, tvb_captured_length() is the direct replacement for
> tvb_length() but tvbuff.h says "You probably want tvb_reported_length
> instead.". The use of both seems to be mixed throughout the files and it's
> difficult to follow the relationship between the two. So any guidance on
> this would be appreciated.
tvb_reported_length -> the size of the packet as it was transmitted on the
wire (frame.len field in Wireshark)
tvb_captured_length -> the size of the packet captured by libpcap / Winpcap
/ XXX which is either equal to reported length, or shorter if a snaplen was
configured for the capture (frame.cap_len field in Wireshark)

This starts to make a difference as soon as you have a capture taken with a
snap length defined.

If you try to access a byte that is above the captured length, but within
the reported length, Wireshark will catch this exception and display
automatically in the info column and the packet details panel that the
packet size was limited during capture (which is more useful than an error
telling you that the packet is malformed which is not true in this case:
you simply limited the bytes you wanted to capture for performance reasons).
So most of the time you are interested by reported length. But captured
length is still useful for some specific use cases. For example in an
heuristic dissector, when you are performing your tests to identify whether
this is a packet for your protocol or not, you must ensure that the
captured length is at least equal to the offset of the byte you want to
access to. Otherwise the exception "packet size limited during capture"
would be triggered and it would interrupt the processing of the packet (and
thus preventing next heuristic dissector to be called).
So depending on the code you are writing, you must decide whether you want
the reported or captured length. And the former is often what you really
want. But it is sometims tricky to decide which one is relevant (that's
where code review enters into the game :) ).

Hope it helps,
Pascal.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe