Wireshark-dev: Re: [Wireshark-dev] need to read three bytes of offset
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: prashanth s <prbanglore@xxxxxxxxx>
Date: Fri, 5 Mar 2010 03:20:33 +0530
Hi Chris,

I am reading the 3 bytes directly from the pcap file. I have implemented my parser using the libpcap source code.

I wish I could use a function similar to tvb_get_ntoh24 ( ). The functions provided by wireshark are marvelous.
I have written a couple of dissectors on wireshark earlier. 

Regards,
Prashanth

On Fri, Mar 5, 2010 at 2:41 AM, Maynard, Chris <Christopher.Maynard@xxxxxxxxx> wrote:

Are you really reading those 3 bytes directly from the pcap file, or are you reading them from a tvbuff that wireshark hands your dissector?

 

If from a tvbuff, why not just use tvb_get_ntoh24()?  And if you’re not doing anything with that value except for adding it to your tree, you can just use proto_tree_add_item() with the item specified as either FT_INT24 or FT_UINT24, whichever the case may be.

 

- Chris

 

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of prashanth s
Sent: Thursday, March 04, 2010 3:57 PM


To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] need to read three bytes of offset

 

Oh, then it looks correct to write a function that reads 3 bytes int value from pacp / wire and convert it to an int? This is what I have done: I read the three bytes from the pcap in to an array of three bytes. And then I memcpy these 3 bytes from array to an int variable(which has been memset with 0's) And then I do a ntohl on this int variable and return it as an int.

 

Thanks Guy Harris,

Regards,

Prashanth

 

On Fri, Mar 5, 2010 at 2:17 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:


On Mar 4, 2010, at 12:42 PM, prashanth joshi wrote:

> thanks for the clarification.
> I was writing a function to read such 3 byte values and convert them to int. Unaware that uint24 field is supported in C (I have seen uint24 field only in wireshark).
> Now I am using the uint24 type.

Standard C doesn't have a uint24 data type (even C99 doesn't have uint24_t).  I suppose if you're using C on the Datacraft/Harris machines (no relation):

       http://bolt.beetlebolt.com/blog/?m=200706

you'd have a 24-bit data type, but most if not all machines capable of running Wireshark have 8-bit bytes and 32-bit or 64-bit registers.

Wireshark supports 24-bit integral-valued fields - but you put the values into 32-bit variables.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

 

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe