Wireshark-dev: Re: [Wireshark-dev] Need advice on modifying tvb
Returning to this issue once more, where I am dissecting packets that wrap an 802.15.4 frame in another protocol, but the outer protocol handles the FCS field.
I am passing the inner frame to the "wpan_nofcs" dissector, which works perfectly for all frame types *except* Ack. When it dissects an 802.15.4 Ack, I get the (non-fatal) error "Unexpected payload in acknowledgement".
I looked at the code for the nofcs dissector, and the first thing it does is call tvb_new_subset to create a new tvb with the length artificially increased by the size of FCS_LEN (i.e. 2 bytes). Which un-does all my effort to remove those bytes in the first place!
For most 802.15.4 frame types, the extra two bytes are passed to the Data dissector, which makes for a messy display but no error is reported. But since the 802.15.4 common code specifically checks Ack frames for extra bytes, I get an error where there should be none.
The comments in the code indicate that someone added the two bytes for a very good reason, but I can't figure out what they mean. If there is "no" FCS, why would you expand the buffer by two bytes as if there were one? Only reason I can think of is that there is common code that calculates some offset from the end of the buffer, but in that case there needs to be some way for the common code to know that the extra two bytes don't need to be processed.
What I am trying to figure out now is whether there is something missing from the 802.15.4 dissector that needs to be fixed, or whether I'm lacking in understanding and need to change my code somehow to avoid this error.
Is there anyone familiar with the 802.15.4 dissector who could advise me?
Thank you,
b.
