Wireshark Debug. Where packet data is stored?

edit

Thanks grahamb. It is somehow possible to access the fields of this structure? Since when I try, I get an error that the size of the struct is unknown...

Edit: It seems like I found how to access the fields using the functions provided by tvbuff.c. @grahamb maybe you can tell me how is the best way to find out the needed offset to get the real_data using the method tvb_memcpy?

Offset to what? The data in the tvb contains the rest of the packet after the previous dissectors have processed their part of the packet, i.e. each dissector starts processing at offset 0.

Offset to the real_data field.

I think we're mis-communicating here. The offset parameter of tvb_memcpy() indicates how far into the data you want the copy to start from, so use 0 for the start of data for the current dissector.

And as size do I take the size of the struct? so sizeof(tvb)?

I'm not sure why you're so interested in the struct. A tvb is a safer abstraction of a simple buffer with appropriate accessors. The accessors are all listed in tvbuff.h, and documented in docs/README.dissector.

From Sect 1.3.2 of README.dissector:

The "tvb" argument to a dissector points to a buffer containing the raw data to be analyzed by the dissector; for example, for a protocol running atop UDP, it contains the UDP payload (but not the UDP header, or any protocol headers above it). A tvbuffer is an opaque data structure, the internal data structures are hidden and the data must be accessed via the tvbuffer accessors.

Followed by an extensive list of the accessors.

To get the actual length of the buffer use tvb_captured_length().

Ok. First thanks for your information. That's really helpful! Just for clarification, I try to get the real_data out of the struct. The struct cannot be accessed directly so I tried it using the tvb_memcpy() function. My confusion probably comes from the fact that the real_data is the fifth value of the tvb struct so I tried it first using offset=5 and as size I used 8, which is of course completely wrong.

Edit: I cannot find the method tvb_captured_length(), does it still exist?

I hope so, lots of dissectors call it.
Currently (on branch master), declared at line 214 of epan/tvbuff.h.

Note that there is another length function tvb_reported_length() which indicates the size of the packet "on the wire", but as the capture mechanism may "slice" the capture at a certain offset, tvb_capture_length() says how much is actually in the tvb that you can tvb_memcpy() out.

Thanks a lot. I tried it as you said but unfortunately I only get this error: "Warn Dissector bug, protocol SSH, in packet 4: STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address" I am using 0 as offset and the length provided by the tvb_captured_length() casted to size_t. As target I have an empty void * and the struct tvb as tvbuff_t. Am I missing something?

The target must be valid allocated memory of sufficient length, you are going to memcpy into it.

Ah shit! Ok Thanks a lot :)

There is also tvb_memdup() that will allocate for you, but it's tied to the Wireshark allocators.