I am aware that
When should If a dissector needs (for example) 8 bytes that describe the following data (type, variable length). What value should be used for comparing? This:
or this?
I guess it is the former, since a dissector is interested in data, but data that is not captured cannot be checked. Is the assumption asked 04 Jul '14, 04:08 Lekensteyn |
2 Answers:
No "normal" dissection should use The only time to use answered 04 Jul '14, 07:14 Anders ♦ edited 08 Jul '14, 14:16 Lekensteyn |
I think you'll always have to work with tvb_captured_length when dissecting packets, because - as you already said - it's what you have. tvb_reported_length is necessary for statistics and for some expert analysis topics, e.g. when calculating next sequence number for TCP. answered 04 Jul '14, 06:11 Jasper ♦♦ Consider (04 Jul '14, 06:22) Lekensteyn 1 No. As Anders said, dissectors should attempt to dissect based on the reported length, because they should throw an exception if they run out of data, so the user knows that the packet really is bigger than what Wireshark is showing, the capture was just cut off with a snapshot length/slice length. For example, a "dissect until the end of the packet" loop should use
(04 Jul '14, 12:39) Guy Harris ♦♦ |
Thanks Anders, that is helpful. Would you mind adding an answer and touch some points from my question? The more distinct cases with examples, the better.
Comment converted to answer
Anders, to clarify,
tvb_captured_length()
should only be used as return value or when used for heuristics checks, andtvb_reported_length()
for all other cases? Or are there other cases wheretvb_captured_length()
should be used?It's impossible to give a straight answer but basically-yes. As Guy said, tvb_captured _length should only be used in rare cases.
doc/packet-PROTOABBREV.c
suggests to usetvb_captured_length()
in a new-style dissector routine. You want to do this when you have successfully dissected (most) of the message, when the length is not known in advance (for example, when used in combination withtcp_dissect_pdus
or a protocol such as SMTP which has no explicit message length).