Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Question to header fields and tvb

From: arno <arnoc@xxxxxxx>
Date: Tue, 14 Jul 2009 19:59:28 +0200
Hey Guys,

I`m writing a plugin to dissect a protocol the company I`m working for uses and i have one problem, that no readme or developer guide could solve yet.

The problem is that many parts of the protocol do not always consist of the same amount of bytes. Therefore the bytes have to be decoded that way (java code):
int decode(bytestream stream){
   int b = stream.readByte();
   int t = b;
   while(b > 127){
      b = stream.readByte();
      t  = (t << 7)) | b;
   }
   return t;
}

Do get the right value is not the problem, but to register the header field and to make it filterable. When I try to register it with the array hf_register_info I have to specify a data type like FT_UINT8. But setting up the header fields with the right amount of bytes of tvb when dissecting the packet results in a wrong value, because the bytes have to be encoded in the way I`ve mentioned it. Is there a possibility to register a header field with e.t. FT_UINT32 and changing the value afterwards? Or is it possible to filter header fields that are added with proto_tree_add_text or add_value? Another way could be to get the specified bytes of tvb, to encode it the right way and then wright it back to tvb, but i did not found a possibility to do that.

I would be very glad to hear any suggestions.

thx