First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How do I get and display packet data information at a specific byte from the first byte?

Hello, I am a beginner in Wireshark and dissector building, right now I'm just trying to figure out how to fetch and display packet data. I use the following lines in my dissect function:

guint val;
val = tvb_get_guint8(tvb, 1);
proto_tree_add_uint(masp_tree, hf_masp_data, tvb, 1, 1, val);

Here is an image of the results:

Expected result: 0x00

Actual result: 0x60

Why does fetching the data start from the 43rd byte instead of the very 1st one? How do I resolve this issue?

Thanks

mest112's avatar
7
mest112
asked 2017-10-31 15:29:15 +0000
grahamb's avatar
23.8k
grahamb
updated 2017-10-31 15:41:42 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

The offset is due to the headers provided by the other parts of the frame, i.e. the Ethernet, IP and UDP headers. Note that by passing the 4th parameter to proto_tree_add_uint() as 1 you're asking for the byte at offset 1 in your tvb, i.e. the second byte in the UDP payload.

Presumably you have registered your dissector with the UDP dissector, hence the preceding items. The byte view shows the whole frame not just your application data.

It's not clear to me why you expect the result to be 0x00, which byte in the byte view are you expecting to read?

grahamb's avatar
23.8k
grahamb
answered 2017-10-31 15:49:49 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the answer, I was expecting the second byte (the one beside 01, in the top left corner). I'm aware that passing the 4th parameter as 1 in proto_tree_add_uint() would get me the byte at offset 1 in the tvb, it's just that I was expecting the tvb to start from 01 (the byte at the top left corner of byte view).

The offset is due to the headers provided by the other parts of the frame, i.e. the Ethernet, IP and UDP headers.

Any idea on how I can set this offset to 0?

mest112's avatar mest112 (2017-10-31 16:22:57 +0000) edit
more
  • delete

The second byte you are referring to is part of the Ethernet payload, and is not part of the tvb corresponding to the UDP payload (the one that is being given to your dissector). The UDP payload starts at offset 0x2a, so the second byte is 0x60 as seen in your capture.

Why do you want to access the top tvb corresponding to the Ethernet frame?

Pascal Quantin's avatar Pascal Quantin (2017-10-31 16:29:22 +0000) edit
more
  • delete

It's for a project. Is there a way to access the top tvb corresponding to the Ethernet frame?

mest112's avatar mest112 (2017-11-01 15:36:12 +0000) edit
more
  • delete

Do you need only the byte or will the Ethernet address do? If the latter, then the packet_info structure passed to your dissector has a member named dl_dst that holds the data link layer destination address.

grahamb's avatar grahamb (2017-11-02 11:37:52 +0000) edit
more
  • delete

I need only the byte

mest112's avatar mest112 (2017-11-02 14:53:18 +0000) edit
more
  • delete
add a comment see more comments
0

If your traffic is always over Ethernet you can use the pinfo->dl_dst structure and copy it into a local buffer with address_to_bytes(), e.g.

char myBuff[2];
address_to_bytes(pinfo->dl_dst, myBuff, 2);
char myByte = myBuff[1];
grahamb's avatar
23.8k
grahamb
answered 2017-11-02 19:28:58 +0000, updated 2017-11-03 17:59:34 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer