Wireshark-dev: Re: [Wireshark-dev] dissecting bits versus bytes
From: Anders Broman <[email protected]>
Date: Fri, 6 May 2011 17:23:01 +0200
 

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Brian Oleksa
Sent: den 6 maj 2011 16:57
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] dissecting bits versus bytes

Anders

Thanks for the reply.

I was able to dissect the first 4 bits to get the version:

Here is the output:

      {&hf_myproto_version,
              { "Version", "myproto.version", FT_UINT8, BASE_DEC, NULL, 0xf0,
                  NULL, HFILL}},

OUTPUT =    0110 .... = Version: 6

But the next 4 bits are as follows:

x = 1 bit
y = 2 bits
z = 1 bit

      {&hf_myproto_x,
              { "Version", "myproto.x", FT_UINT8, BASE_DEC, NULL, 0x??,
                  NULL, HFILL}},


      {&hf_myproto_y,
              { "Version", "myproto.y", FT_UINT8, BASE_DEC, NULL, 0x??,
                  NULL, HFILL}},


      {&hf_myproto_z,
              { "Version", "myproto.z", FT_UINT8, BASE_DEC, NULL, 0x??,
                  NULL, HFILL}},



I am not sure what I would use to capture 1 or 2 bits...??    (0x????)

Thanks,
Brian


If the first 4 bits are masked with 0xfo which is B'1111 0000
Which bit do you think will be the next one? (Hint 0000 1...)
As an extercise translate that to hex and put it as bitmask :-) ( 0000 1000)
Regards
Anders



On 5/6/2011 9:51 AM, Anders Broman wrote:
>
>
> -----Original Message-----
> From: [email protected] 
> [mailto:[email protected]] On Behalf Of Brian Oleksa
> Sent: den 6 maj 2011 15:22
> To: Developer support list for Wireshark
> Subject: [Wireshark-dev] dissecting bits versus bytes
>
>
> I am used to getting a spec sheet of a packet that needs to be dissected and most of the time each part of the packet is in bytes.
>
> For example: The first byte in the packet is the version number. So this is what I would do.
>
>        proto_tree_add_item(myproto_sub_tree, hf_myproto_version, tvb, offset, 1, FALSE);
>               offset += 1;
>
>       {&hf_myproto_version,
>               { "Version", "myproto.version", FT_UINT8, BASE_DEC, NULL, 0x0,
>                   NULL, HFILL}},
>
> But now I was ordered to dissect a packet that the max size is in bits.
>
> Since a byte is bigger than a bit.....how would you dissect this..??
>
> version   (max field size = 4 bits)..??
>
> Thanks,
> Brian
> Hi,
> If the spec looks like
>        Bit1    Bit4   Bit8
> Ocet1 | Verion | Foo |
>
> E.g The fields fill up a byte and always align the protocol is still octet oriented and you should do:
>
>        proto_tree_add_item(myproto_sub_tree, hf_myproto_version, tvb, offset, 1, FALSE);      	proto_tree_add_item(myproto_sub_tree, hf_myproto_foo, tvb, offset, 1, FALSE);
>               offset += 1;
>
>       {&hf_myproto_version,
>               { "Version", "myproto.version", FT_UINT8, BASE_DEC, NULL, 0xf0,
>                   NULL, HFILL}},
>
>       {&hf_myproto_foo,
>               { "Foo, "myproto.foo", FT_UINT8, BASE_DEC, NULL, 0x0f,
>                   NULL, HFILL}},
>
> Note the bitmasks (0xf0&  0x0f) which decides which part of the octet belongs to this field.
> Offset is increased once the whole octet is handled, there is numerous examples in the code base.
> Regards
> Anders
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list<[email protected]>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>               
> mailto:[email protected]?subject=unsubscribe
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list<[email protected]>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>               
> mailto:[email protected]?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe