Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] dissecting bits versus bytes

From: Anders Broman <anders.broman@xxxxxxxxxxxx>
Date: Fri, 6 May 2011 15:51:55 +0200
 

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Brian Oleksa
Sent: den 6 maj 2011 15:22
To: Developer support list for Wireshark
Subject: [Wireshark-dev] dissecting bits versus bytes


I am used to getting a spec sheet of a packet that needs to be dissected and most of the time each part of the packet is in bytes.

For example: The first byte in the packet is the version number. So this is what I would do.

      proto_tree_add_item(myproto_sub_tree, hf_myproto_version, tvb, offset, 1, FALSE);
             offset += 1;

     { &hf_myproto_version,
             { "Version", "myproto.version", FT_UINT8, BASE_DEC, NULL, 0x0,
                 NULL, HFILL}},

But now I was ordered to dissect a packet that the max size is in bits.

Since a byte is bigger than a bit.....how would you dissect this..??

version   (max field size = 4 bits)..??

Thanks,
Brian
Hi,
If the spec looks like
      Bit1    Bit4   Bit8
Ocet1 | Verion | Foo |

E.g The fields fill up a byte and always align the protocol is still octet oriented and you should do:

      proto_tree_add_item(myproto_sub_tree, hf_myproto_version, tvb, offset, 1, FALSE);      	proto_tree_add_item(myproto_sub_tree, hf_myproto_foo, tvb, offset, 1, FALSE);
             offset += 1;

     { &hf_myproto_version,
             { "Version", "myproto.version", FT_UINT8, BASE_DEC, NULL, 0xf0,
                 NULL, HFILL}},

     { &hf_myproto_foo,
             { "Foo, "myproto.foo", FT_UINT8, BASE_DEC, NULL, 0x0f,
                 NULL, HFILL}},

Note the bitmasks (0xf0 & 0x0f) which decides which part of the octet belongs to this field.
Offset is increased once the whole octet is handled, there is numerous examples in the code base.
Regards
Anders


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe