Wireshark · Wireshark-dev: Re: [Wireshark-dev] Dissecting a field that has non-octet bit boundaries

Wireshark-dev: Re: [Wireshark-dev] Dissecting a field that has non-octet bit boundaries

From: yannick omnes <yomnes@xxxxxxxxxxx>

Date: Fri, 23 Jan 2015 08:46:13 +0100

Hi Richard,

I had the same problem recently, that I solved using a bitmask in one ofthe register_info fields. It looked like that :


{
&hf_protocol_id,
            {
                "ID", "protocol.id",
                FT_UINT8, BASE_DEC_HEX,
                NULL, 0x1,
                NULL, HFILL
            },
        }

This should display only the first bit of a byte.

Hope that helps,

Regards

Yannick


Le 23/01/2015 05:46, Richard Sharpe a écrit :

Hi Folks,

I am trying to dissect MS-RSVD further since I have a capture of some
of that funky SCSI tunneled over SMB2/3.

Anyway, they have a 4-byte header that consists of:

1 byte:  Protocol ID
12 bits: Protocol Version
12 bits: Operation Code

How do I deal with this. It does not seem like proto_tree_add_bitmask
is the correct thing.

Follow-Ups:
- Re: [Wireshark-dev] Dissecting a field that has non-octet bit boundaries
  - From: Anders Broman

References:
- [Wireshark-dev] Dissecting a field that has non-octet bit boundaries
  - From: Richard Sharpe

Prev by Date: [Wireshark-dev] Dissecting a field that has non-octet bit boundaries
Next by Date: Re: [Wireshark-dev] Dissecting a field that has non-octet bit boundaries
Previous by thread: [Wireshark-dev] Dissecting a field that has non-octet bit boundaries
Next by thread: Re: [Wireshark-dev] Dissecting a field that has non-octet bit boundaries
Index(es):
- Date
- Thread