Wireshark-users: Re: [Wireshark-users] Newbie question: what to make of some COTP decoding.
On 8/1/2012 9:34 AM, Andre Steenveld wrote:
Hi,
I’m quite new to using wireshark and have a question about some output
for the COTP protocol.
I tried to find an answer in the wireshark documentation and in the
archives but could not come up with a full answer.
I'm not familiar with the OSI protocols (COTP, etc) so all I can offer
is based upon a quick look at the code.
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ositp.c?revision=43536&view=markup&sortby=date
From packet-ositp.c
ositp_decode_DT(...) {
...
case LI_NORMAL_DT_CLASS_01 :
tpdu_nr = tvb_get_guint8(tvb, offset + P_TPDU_NR_0_1);
if ( tpdu_nr & 0x80 )
tpdu_nr = tpdu_nr & 0x7F;
else
fragment = TRUE;
is_extended = FALSE;
is_class_234 = FALSE;
prev_dst_ref = p_get_proto_data (pinfo->fd, proto_clnp);
if (!prev_dst_ref) {
/* First COTP in frame - save previous dst_ref as offset */
prev_dst_ref = se_alloc (sizeof (guint32));
*prev_dst_ref = cotp_dst_ref;
p_add_proto_data (pinfo->fd, proto_clnp, prev_dst_ref);
} else if (cotp_frame_reset) {
cotp_dst_ref = *prev_dst_ref;
}
cotp_frame_reset = FALSE;
cotp_last_fragment = fragment;
dst_ref = cotp_dst_ref;
conv = find_conversation (pinfo->fd->num, &pinfo->src, &pinfo->dst,
pinfo->ptype, pinfo->srcport,
pinfo->destport, 0);
if (conv) {
/* Found a conversation, also use index for the generated
dst_ref */
dst_ref += (conv->index << 16);
}
if (!fragment) {
cotp_dst_ref++;
register_frame_end_routine(cotp_frame_end);
}
break;
It seems that in this case a dst ref is "generated" using the
dst_ref + the 'conversation_index << 16'.
The 'conversation_index' is simply a Wireshark internal number which is
assigned in ascending order for each "conversation" (connection)
encountered in a capture.
It also seems that there's some stuff going on about saving/retrieving
dst_ref.
I've no idea what this is really about, but maybe it will make sense to you.
