Wireshark mailing list archives

tvb_reported_length vs tvb_captured_length

From: Bruno Verstuyft <bruno.verstuyft () excentis com>
Date: Tue, 4 Jun 2019 09:51:39 +0000

Hi,

I have a question regarding the difference between tvb_reported_length and tvb_captured_length.
According to the discussion in
https://www.wireshark.org/lists/wireshark-dev/201509/msg00016.html
Wireshark-dev: Re: [Wireshark-dev] tvb_captured_length or 
tvb_reported_length?<https://www.wireshark.org/lists/wireshark-dev/201509/msg00016.html>
So most of the time you are interested by reported length. But captured length is still useful for some specific use 
cases. For example in an heuristic dissector, when you are performing your tests to identify whether this is a packet 
for your protocol or not, you must ensure that the captured length is at least equal to the offset of the byte you want 
to access to.
www.wireshark.org
, the reported length should be used in most cases. Captured length should only be used in some specific use cases.

However, in the developer documentation "Adding a basic dissector" 
(https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html), the dissect_foo function returns 
tvb_captured_length.
9.2. Adding a basic dissector - Wireshark<https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html>
The first decision you need to make is if this dissector will be a built-in dissector, included in the main program, or 
a plugin. Plugins are the easiest to write initially, so let’s start with that.
www.wireshark.org

It also looks like "return tvb_captured_length" is used more in the code than "return tvb_reported_length".


Bruno Verstuyft
Senior Testing and Software Engineer
Excentis
Gildestraat 8
9000 Gent  -  Belgium
Tel: +32 9 269 22 91

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

tvb_reported_length vs tvb_captured_length Bruno Verstuyft (Jun 04)
- Re: tvb_reported_length vs tvb_captured_length Jaap Keuter (Jun 04)