ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: Re: [Ethereal-dev] How can I get offset of some field from tcp data

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 4 Jan 2006 13:13:51 +0100 (CET)
Hi,

What your trying to do is break the layered architecture of a protocol
stack. The whole idea of layers is to isolate specifics from other layer
and provide access through specific service access points.
The Ethereal dissector architecture is build likewise. Every dissector
eats and digests its own protocol layer from the message and passes THE
REST on to the next. THE REST is provided through 'tvb', while SOME lower
layer info is passed on via 'pinfo'. Note that this is a fixed structure
of data, which by nature, is desireable to be kept as small as possible.
There is NO GARANTEE that the lower protocol data is in anyway available
to the higer layer dissectors. The very nature of the 'tvb' prevents this.

What do you need it for anyway? Whould you like to present an overview of
the message composition as it appears on the wire? Why not go for taps and
an analysis function? That approach looks more promising (no experience
though)

Jaap

On Wed, 4 Jan 2006, scz wrote:

> >
> >No.
> >
> >There is, BTW, no guarantee that there will *be* TCP (although it's
> >likely to be there, as it's probably not running atop NBF, or any of the
> >other older transports atop which SMB runs), or NBT (although the
> >SMB-over-TCP wrapper is equivalent) or, if the service can run atop
> >non-SMB transports, any of the stuff above DCE RPC.
> >
> >It might, at some point, run over SMB2 as well.
> >
> >There might also be transaction-layer (or DCE layer?) reassembly, so the
> >stub data might be a chunk of reassembled data, with more than one NBT
> >header.
>
> Thanks first.
>
> But I know what you say about SMB. Now, assuming that I can guarantee the layer:
>
> TCP
>     NBT
>         SMB
>             DCE/RPC
>                 stub data
>
> In other words:
>
> Layer A(sub dissector a)
>     Layer B(sub dissector b)
>         Layer C(sub dissector c)
>             Layer D(sub dissector d)
>                 Layer E(sub dissector e)
>
> sub dissector e ()
> {
>     unsigned int LayerE_offset_to_LayerLower(A/B/C/D);
>
>     /*
>      * I want to get LayerE_offset_to_LayerLower
>      */
>     ... ...
> }  /* end of sub dissector c */
>
> Can I get LayerE_offset_to_LayerLower? Just LayerE_offset_to_D?
> What I want to get maybe be LenA??LenB??LenC??LenD, but the current
> layer is E.
>
> Any advice?
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube