First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Get parent dissector field

Hi,

I'm writing a dissector for a new RTP protocol. Because it is high rate, it extends the standard RTP sequence number from 16-bits to 32-bits by having a "sequence number extension" field to hold the high 16 bits.

What would be really nice in my dissector would be to be able to show the full 32-bit sequence number by reading the 16-bit sequence number from the standard RTP dissector (which is the parent of my dissector), and then combining this with the extension.

Is it possible to easily read a field from a parent protocol in this way?

I've seen some similar questions, but they were all about two custom protocol dissectors interacting, not a custom one interacting with a built in one (so I can't and don't want to change the existing RTP dissector)

Michael Firth's avatar
11
Michael Firth
asked 2022-07-05 15:49:54 +0000
edit flag offensive 0 remove flag close merge delete

Comments

There's already an extended sequence number computed as part of the conversation data. Is that what you're looking for? See for example: https://gitlab.com/wireshark/wireshar...

cmaynard's avatar cmaynard (2022-07-13 21:55:25 +0000) edit
more
  • delete

From what I can see at a quick glance, the MSBs of that extended sequence number are arbitrary / locally generated. The protocols I'm interested in hold an actual "end-to-end" extended sequence number as part of a "payload header" after the standard RTP header. See the top of page 5 of RFC4175 (https://tools.ietf.org/search/rfc4175) for one example of this - the other protocols I am interested in take their inspiration from that RFC

Michael Firth's avatar Michael Firth (2022-07-14 10:58:26 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

It seems something like the following works - not sure how bad a practice it is...

.......
Flds.FullSeq = ProtoField.uint32("myproto.FullSequence","Full Sequence Number",base.HEX,nil)
.......
local rtp_seq_field = Field.new("rtp.seq")
.......

function myproto.dissector(buffer, pinfo, tree)
    .......
    local rtp_seq = rtp_seq_field()
    local esn_val = buffer(0,2):uint()
    if rtp_seq ~= nil and esn_field ~= nil then
        local full_seq = esn_val.value * 65536 + rtp_seq.value
        subtree:add(Flds.FullSeq, full_seq):set_generated()
    end
    .......
end
Michael Firth's avatar
11
Michael Firth
answered 2022-07-14 11:08:35 +0000
edit flag offensive 0 remove flag delete link
more

Comments

local esn_val = buffer(0,2):uint() - Returns:The unsigned integer value.

Is the .value needed in esn_val.value?

Chuckc's avatar Chuckc (2022-07-14 19:12:48 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer