Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fields offsets & tree hierarchy questions

From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Fri, 14 Jul 2017 13:49:06 -0400
On Fri, Jul 14, 2017 at 1:02 PM, Sultan, Hassan via Wireshark-dev <
wireshark-dev () wireshark org> wrote:


Hi everyone,

Sorry to bother you with might be beginner questions but... well... I'm a
beginner :)

In my quest to understand how Wireshark's parsing engine works I've
written a small wrapper that iterates through all parsed fields and
displays them in the following format :

[offset] [abbrev]([length]) : [value, which might be either my
interpretation of the bytes on the wire according to type/encoding info for
the types I currently support, or the ft_value of the field if it is
present]

And for some packets I am getting :



[...]



Which brings the following questions :

1) Am I right to assume there are absolutely no guarantee about the order
of fields reported by proto_tree_children_foreach in regard to offset
within the same tvb ? I'm looking at the json fields and the offsets of
sub-fields are not ordered. I guess the order is the order in which the
fields were added to the tree ?



Yes, that would be my expectation.  Fields are reported (in the UI and
other places) in the order that they were added to the tree.



2) When looking at http.file_data(65), the field's offset is 0, relative
to that field's tvb which contains the decompressed data, is there any way
to get the position relative to the 'main' tvb representing the whole
packet ? I couldn't find one but maybe I'm missing something.
http.file_data(65) represents decompressed data so technically not present
in the main tvb, but I was wondering if there was a way to link it to the
compressed data field it represents (the "text(83)" field)



I don't think so.  Only the HTTP dissector (and a human) know that the
dissector created a new TVB out of data from the text(83) field.  There's
no linkage (that I recall) between those 2 TVBs (unlike, say, subset TVBs).

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: