Wireshark · Wireshark-dev: Re: [Wireshark-dev] Obtaining protocol offsets from dissection results

Wireshark-dev: Re: [Wireshark-dev] Obtaining protocol offsets from dissection results

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Thu, 05 Jun 2008 22:10:48 -0700

Eloy Paris wrote:

For each layer (protocol) in a packet I need to obtain the offset into
the packet. For example, for "eth:ip:icmp:data", the offsets would be:

    eth:   0
    ip:   14 (IP with no options)
    icmp: 34 (ICMP echo request)
    data: 42

I have been using the value of the "start" field of "struct field_info"
(epan/proto.h). However, I just found out that in some cases "start" can
be zero.

"Some cases" includes any case where you have reassembly - whetherIPv4/v6 fragmentation reassembly, reassembly of packet chunks in a TCPstream, etc..

It also includes cases where you have compressed packet data that'sdecompressed before dissection (in which case it's not clear what theoffset would mean) or encrypted packet data that's decrypted beforedissection.


I.e., the general problem is insoluble.  What is it you're trying to do?

Follow-Ups:
- Re: [Wireshark-dev] Obtaining protocol offsets from dissection results
  - From: Eloy Paris

References:
- [Wireshark-dev] Obtaining protocol offsets from dissection results
  - From: Eloy Paris

Prev by Date: [Wireshark-dev] Obtaining protocol offsets from dissection results
Next by Date: Re: [Wireshark-dev] Build Failure.Please help!!
Previous by thread: [Wireshark-dev] Obtaining protocol offsets from dissection results
Next by thread: Re: [Wireshark-dev] Obtaining protocol offsets from dissection results
Index(es):
- Date
- Thread