Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] accessing field in IP header from L2TP dissector

From: alex volinsky <alexice71@xxxxxxxxx>
Date: Fri, 18 Jul 2008 09:47:05 -0700 (PDT)
>Does the DEPI dissector need to know how big the *IP* packet is, or 
>just how big the *DEPI* packet is?  I don't see anything obvious in
    http://www.cablelabs.com/specifications/CM-SP-DEPI-I05-070223.pdf

>to indicate that anything that reads the DEPI packet needs to care 
>about the length of the headers preceding the DEPI packet.
DEPI works in two modes: D-MPT and PSP. In D-MPT mode, DOCSIS packets are encapsulated into MPEG2-TS fixed-size frames of 188 bytes. In one L2TPv3 payload, there could be from 1 to 7 MPEG2-TS frames. There is no length information in L2TPv3, so I'm looking into IP header.
 
>(In addition, note that you'd need to know how big the IPv4 header 
>is.  Furthermore, at least as I read that spec, the packet format 
>could either be Ethernet/IPv4/L2TPv3/DEPI *OR* Ethernet/IPv4/UDP/
>L2TPv3/DEPI, so the IP header length isn't sufficient, either.)
You are right. I need to account for possible UDP header.
 
Thanks for response,
Alex Volinsky

 
----- Original Message ----
From: Guy Harris <guy@xxxxxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Sent: Thursday, July 17, 2008 8:21:43 PM
Subject: Re: [Wireshark-dev] accessing field in IP header from L2TP dissector


On Jul 17, 2008, at 7:58 PM, alex volinsky wrote:

> I'm adding DOCSIS DEPI dissector to Wireshark. The packet format is 
> Ethernet/ IPv4 / L2TPv3/ DEPI.  To parse DEPI payload correctly, I 
> need to know the packet length, which is obtained from IP header.

Does the DEPI dissector need to know how big the *IP* packet is, or 
just how big the *DEPI* packet is?  I don't see anything obvious in

    http://www.cablelabs.com/specifications/CM-SP-DEPI-I05-070223.pdf

to indicate that anything that reads the DEPI packet needs to care 
about the length of the headers preceding the DEPI packet.

(In addition, note that you'd need to know how big the IPv4 header 
is.  Furthermore, at least as I read that spec, the packet format 
could either be Ethernet/IPv4/L2TPv3/DEPI *OR* Ethernet/IPv4/UDP/
L2TPv3/DEPI, so the IP header length isn't sufficient, either.)

> One of the options is to set my data pointer 18 bytes back in the 
> beginning of L2TPv3 header dissector,

That's not a valid option - your dissector gets handed a tvbuff that 
is not guaranteed to provide access to any data other than the L2TP 
tunnel payload.  (The implementation might happen not to prevent you 
from referring to data before the beginning of the tvbuff, but we make 
no guarantee whatsoever that this will continue to work, and will 
never make such a guarantee.)

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev