Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] starting the actual packet counting using wireshark functions

From: Brian Oleksa <oleksab@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 28 Jan 2010 14:12:09 -0500
Wiresharkers

I have stripped out alot of my own code and started to use the built in routines that is provided by wireshark.

As you can see below... my original way of starting the packet counting process is not correct and I understand that it is not guaranteed to work for all tvbuffs. Which means that there is no guarantee that the "real_data" field (that I am using below) of a tvbuff will always be valid...plus there is no bounds checking that is done.

But I am having some problems starting the actual packet counting process using the built in calls. As I am digging through some of the examples.. I see the following:

guint helen_length = tvb_reported_length(tvb);
OR
gint32 helen;
helen = tvb_get_letohl(tvb, offset + 4);
OR

guint32 offset = 0;
guint32 length = 0;
tvb_memcpy(tvb, (guint8 *)&length, offset, 4);


Basically... I am having a hard time converting my code below to use the built in calls to make sure there is no buffer overrun and to make sure that I am on the correct packet I am trying to dissect.

I have a header of size 18 that I want to skip.. then the next packet I am dissecting.

Any help is appreciated.

Thanks,
Brian


void dissect_helen(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {

   proto_item *helen_item = NULL;
   proto_item *helen_sub_item = NULL;
   proto_tree *helen_tree = NULL;
   proto_tree *helen_header_tree = NULL;
   guint16 type = 0;

   if (check_col(pinfo->cinfo, COL_PROTOCOL)) {
       col_set_str(pinfo->cinfo, COL_PROTOCOL, PROTO_TAG_HELEN);
   }

   if (check_col(pinfo->cinfo, COL_INFO)) {
       col_clear(pinfo->cinfo, COL_INFO);
   }

   type = tvb_get_guint8(tvb, 4);

   if (tree) {
       guint32 offset = 0;
helen_item = proto_tree_add_item(tree, proto_helen, tvb, 0, -1, FALSE);
       helen_tree = proto_item_add_subtree(helen_item, ett_helen);
       helen_header_tree = proto_item_add_subtree(helen_item, ett_helen);
helen_header_tree = proto_item_add_subtree(helen_sub_item, ett_helen);
       {
           guint8 * ptr = (guint8*) tvb->real_data;
           guint8 * packet_header = ptr;
           guint16 bead;
           char buf[100];
           char * packet_name = "";
           proto_tree *helen_sub_tree = NULL;
           guint swap = 0;

           bead = *((guint16*) packet_header);
           if (bead != 0xBEAD) {
               swap = 1;
           }

           offset += 18;
           ptr += 18; /* Skip the header.*/
           packet_header = ptr;

           for (;;) {
               guint16 code = *((guint16*) packet_header);
               guint16 numBytes = 0;
               guint unknownPacket = 0;
               guint codeOffset;
               ptr = packet_header;
               offset = (ptr - tvb->real_data);
               codeOffset = offset;

               if (swap) {
                   code = swap16(code);
               }

               ptr += 2;
               offset += 2;
               numBytes = *((guint16*) ptr);
               if (swap) {
                   numBytes = swap16(numBytes);
               }

               ptr += 2;
               offset += 2;

// From here I start my actual looping over each byte using the correct wireshark routines....