Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Wireshark-dev: Re: [Wireshark-dev] Tips on using ETT for variable sized data

Date Index Thread Index Other Months All Mailing Lists

Date Prev Date Next Thread Prev Thread Next

From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Tue, 3 Feb 2009 17:38:23 -0700

On Tue, Feb 03, 2009 at 05:31:43PM -0500, James Gallogly wrote:

> I am writing a dissector for a protocol where a packet contains 
> several different kinds of internal msgs and has 0-N instances of each 
> kind of internal message. I am trying to figure out the best way to 
> set up the etts. (I am new to writing dissectors so maybe I am 
> thinking about it all wrong)

> Keep in mind the index for A and B are irrelevant to the data inside 
> them.so int 1 and int 2 might form an "ID" for the A data and float 1 
> might form an "ID" for the B data.

Try looking at the VNC dissector (epan/dissectors/packet-vnc.c).  I 
spent quite a while building trees and sub-trees in a similar fashion to 
what you're describing.  You can grab vnc-sample.pcap from 
http://wiki.wireshark.org/SampleCaptures to see the results.

Steve

References:
- [Wireshark-dev] Tips on using ETT for variable sized data
  - From: James Gallogly

Prev by Date: Re: [Wireshark-dev] explicitly stop capture with Tshark
Next by Date: [Wireshark-dev] After latitude/longitude - construct a URL that takes you to a map?
Previous by thread: [Wireshark-dev] Tips on using ETT for variable sized data
Next by thread: [Wireshark-dev] explicitly stop capture with Tshark
Index(es):
- Date
- Thread