Wireshark-dev: Re: [Wireshark-dev] Add computed bytes of different length
From: Anders Broman <[email protected]>
Date: Wed, 4 Jun 2014 14:24:30 +0000
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Kevin Cox
Sent: den 4 juni 2014 16:09
To: [email protected]
Subject: [Wireshark-dev] Add computed bytes of different length


Please forgive me if I am missing something obvious.  I am trying to add some computed bytes to the proto_tree and wish them to be filterable.
However, the proto_tree_add_bytes and similar functions only have one length argument that is used for both the tvb and the value pointer.
The problem is that my bytestring is not directly from the tvb and is a different length.  I was wondering how I could add this to the tree.

Currently I see only the following options:
- Add it with the correct length for the value and have the output show the string coming from the wrong place in the packet.  This also has the problem that I can extend past the end of the tvb possibly raising exceptions.
- Use a FT_NONE and don't add the value byte string.  However this removes the option of filtering on the value of the field.

Any advise would be appreciated,

One option is to read the bytes from the tvb to a buffer manipulate the bytes and make a new tvb with the manipulated bytes in the buffer and then dissect that new tvb.
Like uncompressing something and  then dissect the content of the uncompressed result. If it's just a few bytes that may not be feasible I suppose.
If the encoded stuff really is a string "string coming from the wrong place in the packet" you might want to add a new string encoding type and add it as a string