ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] working with header data

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Ed Beroset <beroset@xxxxxxxxxxxxxx>
Date: Fri, 14 Oct 2011 17:05:20 -0400
Guy Harris wrote:


On Oct 14, 2011, at 1:16 PM, Ed Beroset wrote:


I did two earlier versions of the code that did something like
that. One version used knowledge of what the tags are and
recalculated the length based on the length of the tvb.  The other
one looked attempted to verify that the expected tag really was the
expected number of bytes ahead of the data.  Both versions seemed
messy and complex to me.


So why does not a #.FN_BODY such as

int start_offset = offset; int length;

$(DEFAULT_BODY)

length = offset - start_offset;

<copy "length" bytes of stuff starting at "start_offset">

work?  No need to know what the tags are, no need to verify anything,
from what I can see.
I understand what you mean, and will experiment. If I can work through the filter issue, and it works, then this could be a viable replacement. 


if (PNODE_FINFO(tree)->hfinfo->id == hf_c1222_user_information)
pkt_tree = proto_item_get_parent_nth(tree, 2); else return FALSE;


None of that has anything to do with adding hf_c1222_crypto_good to
the protocol tree, which is what is relevant for making a
"c1222.crypto_good" field work; where is the code that adds that to
the tree?
It does, but it's a bit indirect. If the call to that function returns false, it's an indication that the encryption validation failed for some reason. 


The *displayed* values for parsed packets are all correct,


Where is the "c1222.crypto_good" field displayed in the protocol
tree?
It's around line 889 of packet-c1222-template.c and is only populated if the packet has a Message Authentication Code (MAC) which is part of how the cryptography verifies the integrity of the message. 

  if (hasmac) {
    if (tvb_offset_exists(epsem_buffer, local_offset+4-1)) {
yt = proto_tree_add_item(tree, hf_c1222_epsem_mac, epsem_buffer, local_offset, 4, ENC_NA); 
      /* now we have enough information to fill in the crypto subtree */
      crypto_tree = proto_item_add_subtree(yt, ett_c1222_crypto);
item = proto_tree_add_boolean(crypto_tree, hf_c1222_epsem_crypto_good, tvb, local_offset, 4, crypto_good); 
      PROTO_ITEM_SET_GENERATED(item);
item = proto_tree_add_boolean(crypto_tree, hf_c1222_epsem_crypto_bad, tvb, local_offset, 4, crypto_bad); 
      PROTO_ITEM_SET_GENERATED(item);
    } else {
expert_add_info_format(pinfo, tree, PI_MALFORMED, PI_ERROR, "C12.22 MAC missing"); 
      return offset+len;
    }
  }

Ed
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube