Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Wireshark-dev: Re: [Wireshark-dev] Obtaining protocol offsets from dissection results

Date Index Thread Index Other Months All Mailing Lists

Date Prev Date Next Thread Prev Thread Next

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 05 Jun 2008 22:10:48 -0700

Eloy Paris wrote:

For each layer (protocol) in a packet I need to obtain the offset into
the packet. For example, for "eth:ip:icmp:data", the offsets would be:

    eth:   0
    ip:   14 (IP with no options)
    icmp: 34 (ICMP echo request)
    data: 42

I have been using the value of the "start" field of "struct field_info"
(epan/proto.h). However, I just found out that in some cases "start" can
be zero.

"Some cases" includes any case where you have reassembly - whetherIPv4/v6 fragmentation reassembly, reassembly of packet chunks in a TCPstream, etc..

It also includes cases where you have compressed packet data that'sdecompressed before dissection (in which case it's not clear what theoffset would mean) or encrypted packet data that's decrypted beforedissection.


I.e., the general problem is insoluble.  What is it you're trying to do?

Follow-Ups:
- Re: [Wireshark-dev] Obtaining protocol offsets from dissection results
  - From: Eloy Paris

References:
- [Wireshark-dev] Obtaining protocol offsets from dissection results
  - From: Eloy Paris

Prev by Date: [Wireshark-dev] Obtaining protocol offsets from dissection results
Next by Date: Re: [Wireshark-dev] Build Failure.Please help!!
Previous by thread: [Wireshark-dev] Obtaining protocol offsets from dissection results
Next by thread: Re: [Wireshark-dev] Obtaining protocol offsets from dissection results
Index(es):
- Date
- Thread