Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Fetching of Structure from the tvb....

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Gilbert Ramirez" <gram@xxxxxxxxxxxxxxx>
Date: Sat, 28 Oct 2006 06:57:18 -0500
On 10/28/06, prashanth joshi <prashanthsjoshi2000@xxxxxxxxx> wrote:

Hi,
Suppose the tvb contains a structure and we are supposed to add the
structure elements one by one in to the display tree.
Suppose the structure has the following elements:
char
int
char
int.
Now my thinking is ,
We can not add directly the first item ie char item in to the display
tree(using the proto_tree_add_item  specifying offset and the length to be
added as 1)  and then again we can not add directly the second item ie int
in to the display tree ( this time offset + 1 and then the length to be
added as 4 )  and so on.......
The reason for my thinking is:
The structures are padded. So the tvb may actually be containing
char   4 bytes
int     4 bytes
char    4 bytes
int    4 bytes
And then I feel structue padding is platform dependent.
Hence I feel it should be correct first to memcpy the contents using
tvb_memcpy from the tvb to a dynamically allocated object.  Because i feel
the tvb_memcpy takes care of the platform independece issues. And then i
feel we can add the structure elements one by one using the
proto_tree_add_item(offset , length to be added as 1 )
and then using, proto_tree_add_item(offset + 1, length to be added as 4).


You do not want to use tvb_memcpy to copy the tvbuff's data onto a
struct... you still have the padding issue. The tvb code does not know
anything about the architecture of the host computer, the assumptions
of the protocol, or the compiler used to compile Wiershark (which can
have its own idea of what padding means).

You need to either grab each field with a tvb_get_*() function and use
the proto_tree_add_uint() and proto_tree_add_string() functions, or
use proto_tree_add_item(), which will pull the field from the tvbuff
for you, based on the "header_field_info" definition for your field.
Of course, you can combine the two strategies.


Is my assertion about this structure padding and tvb_memcpy correct?
That is when ever we get a structure in tvb we should not directly add its
elements directly to the display tree but we should first memcpy the
contents of the tvb using tvb_memcpy, to an alllocated structure object and
then we should add the elements one by one in to the display tree?
Or is this just an imagination of mine.........?


You're right about directly copying... but you should realize that
tvb_memcpy() is direct copying, too.

--gilbert
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube