This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

When to use tvb_reported_length?

0

I am aware that tvb_captured_length describes the available data for dissection, and tvb_reported_length the data that was available in the real world (snaplen).

tvb_captured_length should be used when:

  • A new dissector needs to return a value to indicate acceptance of packet data.

When should tvb_reported_length be used? Please provide some examples that clearly demonstrate the difference between tvb_captured_length() and tvb_reported_length(). I am especially interested in the "correct" behavior of reassembly.

If a dissector needs (for example) 8 bytes that describe the following data (type, variable length). What value should be used for comparing? This:

int dissect_example(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) {
    if (tvb_captured_length(tvb) < 8) {
        return -1;
    }
    // ...
    return tvb_captured_length(tvb);
}

or this?

int dissect_example(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) {
    if (tvb_reported_length(tvb) < 8) {
        return -1;
    }
    // ...
    return tvb_captured_length(tvb);
}

I guess it is the former, since a dissector is interested in data, but data that is not captured cannot be checked.

Is the assumption tvb_captured_length() <= tvb_reported_length() also always valid? What is the lower bound of tvb_captured_length() when the two values are not equal?

asked 04 Jul '14, 04:08

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

2 Answers:

2

I think you'll always have to work with tvb_captured_length when dissecting packets

No "normal" dissection should use tvb_reported_length() as it should try to dissect the reported data and run into an exception when the available (captured) data is exhausted generating the automatic output [malformed packet - data may have been cut short] (or something like that).

The only time to use tvb_captured_length() is when you don't want the exception like in heuristic dissectors when determining whether this is the right dissector or not or possibly in reassembly, decompression and the like. So reported length should be the normal case and captured length only used in special cases.

answered 04 Jul '14, 07:14

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

edited 08 Jul '14, 14:16

Lekensteyn's gravatar image

Lekensteyn
2.2k3724

Thanks Anders, that is helpful. Would you mind adding an answer and touch some points from my question? The more distinct cases with examples, the better.

(04 Jul '14, 08:07) Lekensteyn

Comment converted to answer

(04 Jul '14, 08:25) grahamb ♦

Anders, to clarify, tvb_captured_length() should only be used as return value or when used for heuristics checks, and tvb_reported_length() for all other cases? Or are there other cases where tvb_captured_length() should be used?

(08 Jul '14, 09:16) Lekensteyn

It's impossible to give a straight answer but basically-yes. As Guy said, tvb_captured _length should only be used in rare cases.

(08 Jul '14, 12:45) Anders ♦

doc/packet-PROTOABBREV.c suggests to use tvb_captured_length() in a new-style dissector routine. You want to do this when you have successfully dissected (most) of the message, when the length is not known in advance (for example, when used in combination with tcp_dissect_pdus or a protocol such as SMTP which has no explicit message length).

(16 Feb '15, 10:13) Lekensteyn

0

I think you'll always have to work with tvb_captured_length when dissecting packets, because - as you already said - it's what you have. tvb_reported_length is necessary for statistics and for some expert analysis topics, e.g. when calculating next sequence number for TCP.

answered 04 Jul '14, 06:11

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Consider dissect_msmms_command() in packet-ms-mms.c. Is that proper use of tvb_reported_length_remaining()?

(04 Jul '14, 06:22) Lekensteyn
1

No. As Anders said, dissectors should attempt to dissect based on the reported length, because they should throw an exception if they run out of data, so the user knows that the packet really is bigger than what Wireshark is showing, the capture was just cut off with a snapshot length/slice length.

For example, a "dissect until the end of the packet" loop should use tvb_reported_length(), not tvb_captured_length().

tvb_captured_length() should only be used in some rare circumstances. For example, if the packet has a checksum that the dissector checks, it should use tvb_captured_length() - or tvb_bytes_exist() - to make sure all the data over which the checksum should be calculated was captured, and not attempt to check the checksum if not all the data was captured.

(04 Jul '14, 12:39) Guy Harris ♦♦