Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Exported PUD proto_name

From: Dario Lombardo <>
Date: Fri, 26 Aug 2016 10:02:17 +0200
I'm looking into the code of exported_pdu.c and specifically into export_pdu_create_tags(). The first tag it creates is the tag with proto_name. The piece of code that I don't understand is

        /* Start by computing size of protocol name as a tag */
proto_str_len = (int)strlen(proto_name);

/* Ensure that tag length is a multiple of 4 bytes */
proto_tag_len = ((proto_str_len + 3) & 0xfffffffc);

/* Add Tag + length */
tag_buf_size += (proto_tag_len + 4);


exp_pdu_data->tlv_buffer = (guint8 *)g_malloc0(tag_buf_size);

Basically, the buffer to store the proto_name tag must be multiple of 4 bytes. This means that if I use "data", I have "data", but if I use "data1" I have "data1\x00\x00\x00". What's the rationale behind this? Why is the alignment to 4 bytes required?