 | 1 | initial version |
Sounds like byte stuffing where an escape character (in your case 0x10) has to be preceded by another escape character.
Most dissectors use a variable named "offset" to hold their current position in the tvb, incrementing it accordingly after each protocol field is handled. In your case when you detect the extra 0x10, simply increment offset by 1 and don't add anything to the tree. Subsequent tree additions will then use the "corrected" offset.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
