Wireshark · Ethereal-dev: Re: [Ethereal-dev] How can I get offset of some field from tcp data

[scz <scz@xxxxxxxxxxx>]

>
>No.
>
>There is, BTW, no guarantee that there will *be* TCP (although it's 
>likely to be there, as it's probably not running atop NBF, or any of the 
>other older transports atop which SMB runs), or NBT (although the 
>SMB-over-TCP wrapper is equivalent) or, if the service can run atop 
>non-SMB transports, any of the stuff above DCE RPC.
>
>It might, at some point, run over SMB2 as well.
>
>There might also be transaction-layer (or DCE layer?) reassembly, so the 
>stub data might be a chunk of reassembled data, with more than one NBT 
>header.

Thanks first.

But I know what you say about SMB. Now, assuming that I can guarantee the layer:

TCP
    NBT
        SMB
            DCE/RPC
                stub data

In other words:

Layer A(sub dissector a)
    Layer B(sub dissector b)
        Layer C(sub dissector c)
            Layer D(sub dissector d)
                Layer E(sub dissector e)

sub dissector e ()
{
    unsigned int LayerE_offset_to_LayerLower(A/B/C/D);

    /*
     * I want to get LayerE_offset_to_LayerLower
     */
    ... ...
}  /* end of sub dissector c */

Can I get LayerE_offset_to_LayerLower? Just LayerE_offset_to_D?
What I want to get maybe be LenA锟斤拷LenB锟斤拷LenC锟斤拷LenD, but the current
layer is E. 

Any advice?

----