Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] [SPAM] Re: questions about conversations

From: Tomasz Noiński <noix@xxxxxxxxx>
Date: Wed, 23 May 2007 00:10:43 +0200
On Tue, 22 May 2007 13:37:41 -0700
Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:

> On Thu, May 17, 2007 at 11:08:57AM +0200, Tomasz Noi?ski wrote:
> > On Wed, 16 May 2007 15:48:36 -0700
> > Guy Harris <guy@xxxxxxxxxxxx> wrote:
> > 
> > > Perhaps we need to have the key for the protocol data routines be a 
> > > frame number and an offset within the frame, so that there can be 
> > > multiple protocol data items within a link-layer frame.
> > 
> > I think "offset within a frame" might be not enough: For example, in 
> > my case, I decode the packets first, creating a nev tvb with 
> > tvb_new_real_data(). So, unless there's some tvb-magic I don't know 
> > about, simple offset just isn't enough.
> > 
> > Numbering packets manually inside a frame (for example, as an 
> > alternative to providing an offset, as Steve suggested) might be the 
> > best solution...
> 
> Would you mind sharing the code you have so far so we can study it and 
> see if the offset would work or not?

I solved this particular problem, but it's not an elegant solution:
- my own id for pdus inside one frame (with help of a global variable -
yuck!),
- my own GHashTable in proto_data with those ids as a key.
However, if it might help develop a better solution, I'll be happy to
provide my example!

It's a lot of code and it doesn't work together yet, so I'll just post
simplified fragments/pseudocode that I think are most relevant.


/* The dissector routine passed to wireshark.
   "P5 Datagrams" are COBS-encoded, so every datagram is
   between two '\0' (\0-s are escaped).
   Each such COBS-encoded datagram (without \0-s) is passed
   to dissect_p5_cobsed_datagram.

   BTW did I get the TCP-desegmentation thing?
   I had some issues with the TCP dissector :(
*/
int dissect_p5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
  // (...)
  while (1) {
    separator_offset = tvb_find_guint8(tvb, offset, -1, '\0');
    if (separator_offset == -1) {
      if (offset==available) {
	return offset;
      } else {
	pinfo->desegment_offset = 0;
	pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
	return -1;
      }
    }
    pdu_len = separator_offset - offset;
    if (pdu_len > 0) {
      pdu_tvb = tvb_new_subset(tvb, offset, pdu_len, pdu_len);
      dissect_p5_cobsed_datagram(pdu_tvb, pinfo, tree);
    }
    offset += pdu_len + 1;
  }
}


/* this one dissects one COBS-encoded "P5 datagram" */
static int dissect_p5_cobsed_datagram(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
  guint8 *uncobs = NULL;
  tvbuff_t *uncobs_tvb = NULL;
  // ...
  uncobs = (guint8*) ep_alloc(bufsiz + 1);
  // fill "uncobs" with unCOBSed tvb
  uncobs_tvb = tvb_new_real_data(uncobs, bufsiz, bufsiz);
  dissect_p5_datagram(uncobs_tvb, pinfo, new_tree);
}


/* single "P5 datagram" dissector */
static int dissect_p5_datagram(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
  // ...
  // and here is where I want to use "proto data"!
}


Noix