This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissecting bitfields larger than 32 bits

1

I am writing a dissector for a protocol which contains bitfields that are larger than 32 bits. For instance there is one bitfield that is 48-bits long, with other bitfields being 80-bits long. Setting the bitmask for the field in the header_field_info structure does not work since the bitmask is only 32-bits long.

I believe that there are a number of possible ways to proceed:

  1. I can extract the bytes from the tvb into local variables and extract the relevant bits for each field (possibly using bit accessors such as tvb_get_bits64 where appropriate) and then use proto_tree_add_text to add the values to the display
  2. Treat the bitfield in a similar way to compressed data and extract the bit fields into a new buffer as if they were byte aligned then use tvb_new_real_data, etc., to add a new data source and then dissect the new tvb buffer from offset 0

Neither method will be as nice or as easy as using the inbuilt bitmask method. It would be nice to display the individual fields as the standard bitmask dissection (with the bit pattern preceding the field title and contents) but I cannot think of a nice way of doing this.

What are the pros and cons of these two methods and which should I choose? Is there another, better way to proceed that I haven't thought of?

asked 18 Apr '13, 16:12

GrahamS's gravatar image

GrahamS
16112
accept rate: 0%


One Answer:

0

I'd go with method 1 (using proto_tree_add_text). I used this method in a couple of dissectors I wrote some years ago for proprietary protocols. I don't remember why I didn't use the bitmask field in header_field_info - I probably wasn't aware of it at the time. But the obvious approach of a series of proto_tree_add_text calls protected by if statements, while more verbose, is straightforward, clean, and clear to maintainers. It's also easy to crank out the code with a regex search-and-replace or a piece of throwaway scripting, if you have a header that defines the various bits, for example.

I'm by no means an expert in this area, though, so take that with a pinch of salt.

answered 21 Apr '13, 13:56

mwojcik's gravatar image

mwojcik
11112
accept rate: 0%