Ask Your Question
0

get_foo_message_len - What should this function return?

asked 2019-09-26 17:03:09 +0000

Kim gravatar image

updated 2019-09-26 17:17:27 +0000

grahamb gravatar image

Example from the Wireshark documentation:

/* determine PDU length of protocol foo */
static guint
get_foo_message_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data
_U_)
{
  /* TODO: change this to your needs */
  return (guint)tvb_get_ntohl(tvb, offset+4); /* e.g. length is at offset 4 */
}

Here is the raw data imported into wireshark

000000 0a 01 00 00 00 00 00 10 03 0a 02 00 00 00 00 00 11 03

The raw data shows 2 messages. A message ends with 03.

first call to get_foo_message_len(...)

 the tvb buffer contains the following:
      tvb 0 = 10
      tvb 1 =   1
      tvb 2 =   0
      tvb 3 =   0
      tvb 4 =   0
      tvb 5 =   0
      tvb 6 =   0
      tvb 7 = 16
      tvb 8 =   3
      tvb 9 = 10

The 1st message ends a tvb 8. The next message begins with tvb 9. What should the get_foo_message_len return? tvb 9 = 10

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-26 17:24:16 +0000

grahamb gravatar image

get_foo_message_len() should return the length of the PDU in bytes.

The example assumes that the two bytes at offset 4 in the tvb contain the length of the PDU as 16 bit value in network byte order.

As you give no other info about your protocol and there doesn't seem to be a length byte in it, you could possibly:

  • Assume all PDU's are 9 bytes long and simply return 9.
  • Scan the tvb looking for the terminator byte 0x03 (as long as 0x03 can't be found in the message itself), and return the offset of that byte + 1.
  • Return something else that is the correct value for your protocol.
edit flag offensive delete link more

Comments

Based on my input data 2 messages. The execution should be as followed:

dissect_foo()
  get_foo_message_len()
  dissect_foo_message()
     processes first message

dissect_foo()
  get_foo_message_len()
  dissect_foo_message()
     processes 2nd message

It would have thought execution is complete since it processed two messages but the code repeats as follows:

dissect_foo()
  get_foo_message_len()
  dissect_foo_message()
     processes 1st message again!!!

dissect_foo()
  get_foo_message_len()
  dissect_foo_message()
     processes 1st message again!!!

dissect_foo()
  get_foo_message_len()
  dissect_foo_message()
     processes 2nd message again!!!

What is going on? it should have processed the first 2 messages and than stop.

Kim gravatar imageKim ( 2019-09-26 17:49:29 +0000 )edit

Wireshark makes multiple passes over the capture, and will read frames again when they're clicked on.

If you build up state across frames, you can check to see if you've already processed a frame once by inspecting the pinfo->fd->flags.visited flag.

If you don't build up state, then simply return the correct values for the tvb handed to you. The dissector should return the number of bytes dissected allowing a further call to be made to the dissector if another PDU is in the same frame.

grahamb gravatar imagegrahamb ( 2019-09-26 18:17:53 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-09-26 17:03:09 +0000

Seen: 511 times

Last updated: Sep 26 '19