In a previous e-mail I suggested the usage of
tvbuff_t *tvb = tvb_new_subset(pi.compat_top_tvb, offset, -1, -1);
to create a tvbuff for a dissector which did not accept a tvbuff in its
argument list (all of the dissector-table dissectors).
This suggestion is wrong, because some dissectors (ethernet!) can modify
the length of their packet data. That is, some ethernet packets have a trailer,
so those trailing bytes are excluded from the next tvbuff
(and are subtracted from pi.len and pi.captured_len).
The correct usage is more like:
tvb_new_subset(pi.compat_top_tvb, offset, pi.captured_len - offset,
pi.len - offset);
To make this easier to use, I have added a macro called tvb_create_from_top() to
tvbuff.h (which is automatically included in each dissector through packet.h)
It takes one argument, the name of your offset variable. (Some authors use 'offset',
some use 'o').
Here's an example from dissect_ipx():
#if 0
void
dissect_ipx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
#else
void
dissect_ipx(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
{
packet_info *pinfo = π
tvbuff_t *tvb = tvb_create_from_top(offset);
#endif
I have documented this change in doc/README.tvbuff, and have modifed all the
dissectors that needed this change.
--gilbert
