Ethereal-dev: Re: [Ethereal-dev] Obtaining previous dissector information

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 24 Aug 2005 10:15:55 -0700
Mark Pilant wrote:


I've read over the various README files, and haven't been able to
determine if there is a clean/easy way to obtain information from
a previous portion of the frame; already processed by a dissector.


There is no *general* way.

However:


For example, if I was currently processing the SMB frame payload
and I needed some of the TCP payload (e.g., source IP address)


(You mean "IP payload" - or, perhaps, "IP header" - in that case.)


what is the best way to do it?
You'd get the source IP address from pinfo->net_src, if it's present (which it should always be, for protocols running atop TCP).
Note that this is *NOT* necessarily an IPv4 address. pinfo->net_src is a structure of type "address", which has a member called "type", which, in the case of an IP address, could be AT_IPv4 or AT_IPv6. Depending on the value of "type", the "data" member points either to the 4 bytes of an IPv4 address or the 16 bytes of an IPv6 address. 


I can think of a couple of not so nice
ways, all violating the payload boundaries,
Just out of curiosity, what are those ways? (Note that the tvbuff your dissector is handed does *NOT* allow references to bytes before its beginning, so it does *NOT* allow access to headers before your protocol's data.)