Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Best practice for dissecting modular protocol

From: Jan Gerbecks <jan.gerbecks@xxxxxxxxxxxxxxx>
Date: Fri, 18 Dec 2009 10:11:56 +0100
Hallo,

I am currently writing a wireshark pnrp dissector and ran into a little problem. It is my first time writing a wireshark dissector and I am wondering what the best practice approach for the following problem is:

The pnrp protocol is based on modular concept, where you have the following basic structure as defined in

-------------------------------------------------------------------------------------------------------------------------------------------------------------
| FieldID 8bit | Length 16 bit | Data as specified in FieldId and described by length | FieldID | Length | Data|--- |
-------------------------------------------------------------------------------------------------------------------------------------------------------------

One example is that the FieldID specifies that an array of PNRP IDs is following, length specifies the length of this segment and in the Data Part will be any number of 1 - n pnrp ids.

To dissect this correctly, I could obviously try to define the maximum number of PNRP Ids in the hf_register_info hf[] Array but that doesn't seem like a very elegant solution. 
I had a look at the vnc dissector but it didn't quite solved the same problem.

Any help is greatly appreciated and I hope somebody can point me in the right direction.

Thanks in advance,
Jan