Wireshark-dev: Re: [Wireshark-dev] Structure sizes change between Linux and Windows help
From: Bill Meier <[email protected]>
Date: Thu, 28 Jul 2011 17:42:59 -0400
On 7/28/2011 5:39 PM, Bill Meier wrote:
On 7/28/2011 5:27 PM, Alex Lindberg wrote:
I am creating a dissector that overlays a complicated struct (bit
fields, unions, etc) on the the tvb.
Unfortunately, you can't do that; :)

 From doc/README.developer

Don't use structures that overlay packet data, or into which you copy
packet data; the C programming language does not guarantee any
particular alignment of fields within a structure, and even the
extensions that try to guarantee that are compiler-specific and not
necessarily supported by all compilers used to build Wireshark. Using
bitfields in those structures is even worse; the order of bitfields
is not guaranteed.

(Also: The paragraph previous to the above in README.developer)

Don't fetch data from packets by getting a pointer to data in the packet
with "tvb_get_ptr()", casting that pointer to a pointer to a structure,
and dereferencing that pointer.  That pointer won't necessarily be aligned
on the proper boundary, which can cause crashes on some platforms (even
if it doesn't crash on an x86-based PC); furthermore, the data in a
packet is not necessarily in the byte order of the machine on which
Wireshark is running.  Use the tvbuff routines to extract individual
items from the packet, or use "proto_tree_add_item()" and let it extract
the items for you.