Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Help needed on value translation of dissected bits

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Thu, 3 Dec 2009 10:55:07 -0500
Title: Help needed on value translation of dissected bits

Would something like this [untested] code work for you?

 

b = tvb_get_ntohs(tvb, offset);

b = ((b & 0x8000) >> 7) | (b & 0x00ff);

proto_tree_add_uint_format(tree, hf_myproto_B, tvb, offset, 2, b, "B Value: %u", b);

 

README.developer has more information on all the proto_tree_add_xxx() functions.

- Chris

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Jarolin, Robert
Sent: Wednesday, December 02, 2009 11:56 AM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] Help needed on value translation of dissected bits

 

Normally with the translation of specific bits to a decimal value is easy using the definition in the hf structure, but I am trying to find a way to properly display 1 or more bytes that have disjoint bits associated to a specific value.

Let me give an example:
Assume that you have 2 bytes to dissect that are formatted as follows:
- There are 2 values, A and B that are encoded into 2 Bytes
- Value A has a maximum size of 127 and is encoded using the lower 7 bits of Byte 1
- Value B has a maximum size of 511 and is encoded using all 8 bits in Byte 2 along with bit 8 in Byte 1 representing the MSB for Value B

Normally, I would define the dissection in the hf structure as follows:
{ &hf_myproto_B,
  { "B Value", "myproto.b",
       FT_UINT16, BASE_DEC, NULL, 0x80ff, NULL, HFILL
  }
}

In this case, it will mask of the bits correctly, but it will translate it to decimal as if there the extra bits that are masked off still exist, but are a value of 0

So, for instance, the following encoding:
 1000 0000
 0000 0000

Would be translated as follows:
A = 0
B = 32768

Instead of what I want:
A = 0
B = 256

Any way that I can do it?  If not, can I somehow use "proto_add_text" or something similar to make the addition to the tree look similar to how it would have looked with the bits that are masked off being shown?

Thanks for any help.


Confidentiality Notice: This e-mail (including any attachments) is intended only for the recipients named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not a named recipient, please notify the sender of that fact and delete the e-mail from your system. 

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube