How can I dissect fields less than 1-byte wide?

Question

I am working on a protocol dissector where some fields are comprised of fewer than 8 bits. For example, the first 4 bits identify the packet type, and the next 16 bits the length of following data. Can I dissect fields with length less than one byte, and how can I display them?

Answer 1

Absolutely. You can do this by specifying a nonzero bitmask when defining your header fields like so:

{ &hf_packet_type,
{ "type", "myproto.type", FT_UINT8, BASE_DEC, NULL, 0xF0, "Packet Type", HFILL }},
{ &hf_packet_length,
{ "length", "myproto.length", FT_UINT24, BASE_DEC, NULL, 0x0FFFF0, "Packet Length", HFILL }},

Then, simply add them to the tree as you have done for your other protocol fields:

proto_tree_add_item(my_tree, hf_packet_type, tvb, 0, 1, FALSE);
proto_tree_add_item(my_tree, hf_packet_length, tvb, 0, 3, FALSE);

Doing it this way keeps most of the bit-twiddling out of your dissector code, but still allows you to add fields of arbitrary widths and continuities to your protocol.

Note that if you need to work with those bits directly you must extract them from the tvb yourself, just as you do for fields that are byte-bounded and sized in byte-increments, just using one of the tvb_get_bits* functions in stead of one of the other tvb_get* functions.

How can I dissect fields less than 1-byte wide?

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions