Wireshark · Ethereal-dev: Re: [Ethereal-dev] Creating buffer for Decryption/Decompression

Ethereal-dev: Re: [Ethereal-dev] Creating buffer for Decryption/Decompression

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Thu, 23 Mar 2006 10:33:27 -0800

Jasim Tariq wrote:

I have tried using the function "tvb_get_ephemeral_string" to grab thecomplete buffer till the end(using -1 for length) but I get an error inethereal that says "Malfunctioned Packet" since I am also using thebuffer to display some other contents of the protocol and after usingthis command I cannot access the default buffer "tvb". Nothing isdisplayed after that.

Nothing's displayed after that because an exception is thrown, and, oncewhatever call you're making tries to get more data from the packet thanis in the packet (which is why you got the "Malformed packet" error),the exception thrown by that attempt means a longjmp() is done and nomore dissection is done on that packet.

Using the "tvbuff.h" file and its inplementation in "tvbuff.c", Iunderstand that there are some other functions which will enable me tocreate a buffer of type tvbuff_t and then use the "guint8 *realdata"part of the tvbuff_t obtained to pass into my function. What functionsare those? But this process will require creating another tvbuff_t.

See "dissect_icqv5Client()" in epan/dissectors/packet-icq.c for anexample of code that decrypts data from a tvbuff and constructs a newtvbuff used to dissect the decrypted data.

I am not using the function "tvb_get_ptr" because there is a comment in"tvbuff.h" file that says:
* The returned pointer is data that is internal to the tvbuff, so do not
* attempt to free it. Don't modify the data, either, because another tvbuff
* that might be using this tvbuff may have already copied that portion of
* the data (sometimes tvbuff's need to make copies of data, but that's the
* internal implementation that you need not worry about). Assume that the
* guint8* points to read-only data that the tvbuff manages.
What would be a better and effective solution that won't effect thedefault tvbuff_t "tvb" in this case. I only need a guint8* to pass intomy function that performs the decompression/decryption.

Use tvb_get_ptr(). You don't need to free that data, and don't need tomodify it, to decompress and decrypt it; you'll be storing thedecompressed, decrypted data in a separate buffer, as you already noted.

References:
- [Ethereal-dev] Creating buffer for Decryption/Decompression
  - From: Jasim Tariq

Prev by Date: Re: SV: [Ethereal-dev] Patch for Bug #817
Next by Date: Re: [Ethereal-dev] Length/reported length
Previous by thread: [Ethereal-dev] Creating buffer for Decryption/Decompression
Next by thread: [Ethereal-dev] Length/reported length
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$