To answer your question. For a project I will need to know if an IPSec AH
packet on the wire authenticates correctly. Of course, it requires to give
the authentication key (basically one has to add an SADB) to Ethereal and
link with openssl to get the md5 and sha-1 stuff in. AH authenticates the
IP header + the payload. Therefore one needs access to the IP header from
the AH dissector. I am also looking at ESP.
Hope that clarifies the why. :)
Cheers,
Marcus
On Fri, 21 Jul 2000, Gilbert Ramirez wrote:
> On Sat, Jul 22, 2000 at 12:34:37AM -0400, Marcus Haebler wrote:
> > I was wondering if there is a clean way of getting the offset in the
> > frame for the previous dissector in current dissector. E.g. for finding
> > the corresponding IP header in the AH dissector.
>
> No, not cleanly. It can be done, however. But why? Most protocols
> don't care very much about the previous protocol. In the cases that they
> do, they usually only care about one or two specific fields (like the IP
> address or IPX address). Are you sure you need to know the previous offset?
> We have the packet_info struct (see packet.h) for storing useful information
> during the dissection of a single packet. That might fill your need.
>
> Anyway, the tree argument that is passed to the dissector function is
> really a GNode*. You could query that to see how many items it has, grab
> the last item (or penultimate, if you have already added a branch to 'tree'),
> pull its field_info* pointer (the GNode holds a 'data' item,
> which is where we store our data, the field_info*), and then look
> at the 'start' variable in that field_info struct.
>
> Again.... "But why?"
>
> --gilbert
>
