First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Having issues with hex data and endianness

  • retag add tags

I am taking hex bytes out of a buffer and trying to display them (it's a ID string in hex). I can get the data using

    USID = ProtoField.string("myproto.USID", "usidVersion")
function myproto_protocol.dissector(buffer, pinfo, tree)
    local subtree = tree:add(myproto_protocol, buffer(), "myproto Protocol Data")
    local headerSubtree = subtree:add(myproto_protocol, buffer(), "Header")
    headerSubtree:add_le(myproto_protocol.fields["USID"],         buffer:bytes(2,8):tohex())

However the displayed info is still not in little endian. I have tried using a bytes ProtoField as well with less success displaying the data. I am sure I am missing something simple but I have not messed with hex fields and Little Endian much

Rex555's avatar
1
Rex555
asked 2023-04-16 20:29:10 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What do you mean by an "ID string"?

Is it a character string?

Is it a fixed-length number, from 2 to 8 bytes, to display in hex?

Or is it a variable-length array of bytes?

Guy Harris's avatar Guy Harris (2023-04-16 21:23:00 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

From the WSDG:

11.7.2.1. treeitem:add_le([protofield], [tvbrange], [value], [label])
If the ProtoField represents a numeric value (int, uint or float), then it’s treated as a Little Endian value.

You will need to build the string then add it to the tree.

            subtree:add(pf.payload, tvb:range(2,8):le_uint64():tohex())

headerSubtree:add(myproto_protocol.fields["USID"], buffer:range(2,8):le_uint64():tohex())
Chuckc's avatar
3k
Chuckc
answered 2023-04-16 22:11:24 +0000, updated 2023-04-16 22:30:35 +0000
edit flag offensive 0 remove flag delete link
more

Comments

THANK YOU!! I had been trying various incantations but the :le_int64() was the missing piece!

Rex555's avatar Rex555 (2023-04-16 22:53:33 +0000) edit
more
  • delete

At this site we don't close answered questions, instead the most suitable answer is "accepted" by clicking the checkbox icon next to the answer.

grahamb's avatar grahamb (2023-04-17 09:16:51 +0000) edit
more
  • delete

Gotcha, I did not see that icon (I did look for it) the only thing I was able to do was close as answered, will do better in future

Rex555's avatar Rex555 (2023-04-17 21:45:46 +0000) edit
more
  • delete

No worries, at least you attempted to acknowledge the help given by others, unfortunately that often isn't the case.

grahamb's avatar grahamb (2023-04-18 09:45:43 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer