First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

get_foo_message_len - What should this function return?

  • retag add tags

Example from the Wireshark documentation:

/* determine PDU length of protocol foo */
static guint
get_foo_message_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data
_U_)
{
  /* TODO: change this to your needs */
  return (guint)tvb_get_ntohl(tvb, offset+4); /* e.g. length is at offset 4 */
}

Here is the raw data imported into wireshark

000000 0a 01 00 00 00 00 00 10 03 0a 02 00 00 00 00 00 11 03

The raw data shows 2 messages. A message ends with 03.

first call to get_foo_message_len(...)

 the tvb buffer contains the following:
      tvb 0 = 10
      tvb 1 =   1
      tvb 2 =   0
      tvb 3 =   0
      tvb 4 =   0
      tvb 5 =   0
      tvb 6 =   0
      tvb 7 = 16
      tvb 8 =   3
      tvb 9 = 10

The 1st message ends a tvb 8. The next message begins with tvb 9. What should the get_foo_message_len return? tvb 9 = 10

Kim's avatar
1
Kim
asked 2019-09-26 17:03:09 +0000
grahamb's avatar
23.8k
grahamb
updated 2019-09-26 17:17:27 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

get_foo_message_len() should return the length of the PDU in bytes.

The example assumes that the two bytes at offset 4 in the tvb contain the length of the PDU as 16 bit value in network byte order.

As you give no other info about your protocol and there doesn't seem to be a length byte in it, you could possibly:

  • Assume all PDU's are 9 bytes long and simply return 9.
  • Scan the tvb looking for the terminator byte 0x03 (as long as 0x03 can't be found in the message itself), and return the offset of that byte + 1.
  • Return something else that is the correct value for your protocol.
grahamb's avatar
23.8k
grahamb
answered 2019-09-26 17:24:16 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Based on my input data 2 messages. The execution should be as followed:

dissect_foo()
  get_foo_message_len()
  dissect_foo_message()
     processes first message

dissect_foo()
  get_foo_message_len()
  dissect_foo_message()
     processes 2nd message

It would have thought execution is complete since it processed two messages but the code repeats as follows:

dissect_foo()
  get_foo_message_len()
  dissect_foo_message()
     processes 1st message again!!!

dissect_foo()
  get_foo_message_len()
  dissect_foo_message()
     processes 1st message again!!!

dissect_foo()
  get_foo_message_len()
  dissect_foo_message()
     processes 2nd message again!!!

What is going on? it should have processed the first 2 messages and than stop.

Kim's avatar Kim (2019-09-26 17:49:29 +0000) edit
more
  • delete

Wireshark makes multiple passes over the capture, and will read frames again when they're clicked on.

If you build up state across frames, you can check to see if you've already processed a frame once by inspecting the pinfo->fd->flags.visited flag.

If you don't build up state, then simply return the correct values for the tvb handed to you. The dissector should return the number of bytes dissected allowing a further call to be made to the dissector if another PDU is in the same frame.

grahamb's avatar grahamb (2019-09-26 18:17:53 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer