Wireshark · Ethereal-dev: Re: [Ethereal-dev] Reassembly & tvb_find

Ethereal-dev: Re: [Ethereal-dev] Reassembly & tvb_find_guint8()

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Thu, 10 Feb 2005 09:54:18 -0500

> OK, so tcp_dissect_pdus() has presumably already done the reassembly, 
> and handed your dissector a 2424-byte tvbuff that starts with the data 
> at an offset of 0x42 from the beginning of packet #5 - i.e., the first 
> four bytes of the tvbuff are 00 00 09 74.
> 
> So the first record starts at an offset of 0x18 from the beginning of 
> that tvbuff, and goes through offset 0x47 of that tvbuff, with 0x47 
> having the last FF in the terminator.

Correct. Obviously having the PCAP was helpful. :-)

> > next_terminator = tvb_find_guint8(tvb, offset, -1, 255);
> > 
> > I had inserted a bunch of fprintf() calls in my function, to watch where
> > terminators were being found, the size of tvbuff, etc. The output should
> be
> > pretty self-explanatory:
> > 
> > ...
> > In find_record_terminator, size of tvb: 2424, tvb remaining, 1056, offset:
> 1368
> > Next terminator: 1412
> > Success: record ends at 1416
> > In find_record_terminator, size of tvb: 2424, tvb remaining, 1008, offset:
> 1416
> > Next terminator: -1
> 
> So those are offsets within the tvbuff, rather than offsets within 
> packet 5, right?

Again, correct. I set offset = 0 at the start of dissection and increment it
each time I parse a given field/set of fields. Offset 0 is the same as byte 0x42
in packet 5 (which starts our 0x00000974 length field).

> > Since I know that there's *at least* one more terminator byte in my tvbuff,
> that
> > shouldn't be happening. I suspect that the problem is because there are no
> more
> > terminators left in packet #5, which should end at offset 1448 of tvbuff.
> 
> That *shouldn't* be happening.  Could you send a copy of your WINS 
> dissector, so we can see whether there's a bug somewhere in the tvbuff 
> code?  I suppose it's possible that some remnant of the packet 
> boundaries are still around in the reassembled tvbuff, although I'm not 
> sure where that'd happen.
> 

I've attached it. Keep in mind that this is still not a finished product, and as
such is not yet intended for formal publication. Hopefully it's good enough to
at least let you determine whethere there is a bug in the tvbuff code. :-)

Alex Kirk

Attachment: packet-wins.c
Description: Binary data

References:
- [Ethereal-dev] Reassembly & tvb_find_guint8()
  - From: Alex Kirk
- Re: [Ethereal-dev] Reassembly & tvb_find_guint8()
  - From: Guy Harris
- Re: [Ethereal-dev] Reassembly & tvb_find_guint8()
  - From: Alex Kirk
- Re: [Ethereal-dev] Reassembly & tvb_find_guint8()
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] does ethereal team have plan to support decode more scsi commands?
Next by Date: [Ethereal-dev] Bug in OSPF dissector
Previous by thread: Re: [Ethereal-dev] Reassembly & tvb_find_guint8()
Next by thread: Re: [Ethereal-dev] [patch] minor bug fix for stun dissector error attribute
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$