I am currently debugging Wireshark to find out the field in which the SSH packet data is stored. I have my breakpoint in the function:
ssh_dissect_ssh2(tvbuff_t *tvb, packet_info *pinfo, struct ssh_flow_data *global_data, int offset, proto_tree *tree, int is_response, gboolean *need_desegmentation)
Can someone of you tell me where the data is stored? I cannot find it...
In the structure pointed to by tvb.
Thanks grahamb. It is somehow possible to access the fields of this structure? Since when I try, I get an error that the size of the struct is unknown...
Edit: It seems like I found how to access the fields using the functions provided by tvbuff.c. @grahamb maybe you can tell me how is the best way to find out the needed offset to get the real_data using the method tvb_memcpy?
Offset to what? The data in the tvb contains the rest of the packet after the previous dissectors have processed their part of the packet, i.e. each dissector starts processing at offset 0.
Offset to the real_data field.
I think we're mis-communicating here. The offset parameter of tvb_memcpy() indicates how far into the data you want the copy to start from, so use 0 for the start of data for the current dissector.
And as size do I take the size of the struct? so sizeof(tvb)?
Comments