Ask Your Question
0

Wireshark Debug. Where packet data is stored?

asked 2019-07-10 06:43:12 +0000

JustPlayin gravatar image

I am currently debugging Wireshark to find out the field in which the SSH packet data is stored. I have my breakpoint in the function:

ssh_dissect_ssh2(tvbuff_t *tvb, packet_info *pinfo, struct ssh_flow_data *global_data, int offset, proto_tree *tree, int is_response, gboolean *need_desegmentation)

Can someone of you tell me where the data is stored? I cannot find it...

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-07-10 08:53:12 +0000

grahamb gravatar image

In the structure pointed to by tvb.

edit flag offensive delete link more

Comments

Thanks grahamb. It is somehow possible to access the fields of this structure? Since when I try, I get an error that the size of the struct is unknown...

Edit: It seems like I found how to access the fields using the functions provided by tvbuff.c. @grahamb maybe you can tell me how is the best way to find out the needed offset to get the real_data using the method tvb_memcpy?

JustPlayin gravatar imageJustPlayin ( 2019-07-11 06:21:50 +0000 )edit

Offset to what? The data in the tvb contains the rest of the packet after the previous dissectors have processed their part of the packet, i.e. each dissector starts processing at offset 0.

grahamb gravatar imagegrahamb ( 2019-07-11 09:50:47 +0000 )edit

Offset to the real_data field.

JustPlayin gravatar imageJustPlayin ( 2019-07-11 10:28:08 +0000 )edit

I think we're mis-communicating here. The offset parameter of tvb_memcpy() indicates how far into the data you want the copy to start from, so use 0 for the start of data for the current dissector.

grahamb gravatar imagegrahamb ( 2019-07-11 10:36:43 +0000 )edit

And as size do I take the size of the struct? so sizeof(tvb)?

JustPlayin gravatar imageJustPlayin ( 2019-07-12 08:09:27 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-07-10 06:43:12 +0000

Seen: 318 times

Last updated: Jul 10 '19

Related questions

Looking for a detailed explanation on the SSL debug file

SSH performance question

SSH remote capture private key can't connect

How do I use SSH Remote Capture in Wireshark

SSH Remote Capture Restart Error

is there a way to identify problematic code??

sshdump does not connect and provides no error

CAN reading over SSH

SSH Connection randomly drops (Palo Alto FW in between)

Implementing a SSH decryption plugin