Ask Your Question

Revision history [back]

Sounds like byte stuffing where an escape character (in your case 0x10) has to be preceded by another escape character.

Most dissectors use a variable named "offset" to hold their current position in the tvb, incrementing it accordingly after each protocol field is handled. In your case when you detect the extra 0x10, simply increment offset by 1 and don't add anything to the tree. Subsequent tree additions will then use the "corrected" offset.