Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] accessing field in IP header from L2TP dissector

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 17 Jul 2008 20:21:43 -0700

On Jul 17, 2008, at 7:58 PM, alex volinsky wrote:

I'm adding DOCSIS DEPI dissector to Wireshark. The packet format is Ethernet/ IPv4 / L2TPv3/ DEPI. To parse DEPI payload correctly, I need to know the packet length, which is obtained from IP header.

Does the DEPI dissector need to know how big the *IP* packet is, or just how big the *DEPI* packet is? I don't see anything obvious in

	http://www.cablelabs.com/specifications/CM-SP-DEPI-I05-070223.pdf

to indicate that anything that reads the DEPI packet needs to care about the length of the headers preceding the DEPI packet.

(In addition, note that you'd need to know how big the IPv4 header is. Furthermore, at least as I read that spec, the packet format could either be Ethernet/IPv4/L2TPv3/DEPI *OR* Ethernet/IPv4/UDP/ L2TPv3/DEPI, so the IP header length isn't sufficient, either.)

One of the options is to set my data pointer 18 bytes back in the beginning of L2TPv3 header dissector,

That's not a valid option - your dissector gets handed a tvbuff that is not guaranteed to provide access to any data other than the L2TP tunnel payload. (The implementation might happen not to prevent you from referring to data before the beginning of the tvbuff, but we make no guarantee whatsoever that this will continue to work, and will never make such a guarantee.)