Ask Your Question
0

Access lower layer protocol information from dissector

asked 2018-06-14 08:59:56 +0000

Florian Haradji gravatar image

updated 2018-06-14 17:54:47 +0000

Guy Harris gravatar image

Hi,

I'm sure it's a question that has been asked many times, but I could not find it... In the C dissector I'm writing on top of UDP (triggered by udp.port), I need to access the 'total length' field from the UDP header. I need this because captured packet length is not enough as there can be Ethernet padding.

But when the dissector gets called, I can only access payload, not header from lower layer protocol. I guess I'll have to mess around with packet_info or proto_tree but I did not figure it out.

Thanks in advance!

edit retag flag offensive close merge delete

Comments

If there's Ethernet padding you won't find that in the length field of the UDP header either.

Jaap gravatar imageJaap ( 2018-06-14 10:56:01 +0000 )edit

Well, actually I need to read the UDP header to be able to know what part is actually padding...

Florian Haradji gravatar imageFlorian Haradji ( 2018-06-14 13:37:54 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2018-06-14 14:21:08 +0000

cmaynard gravatar image

The UDP dissector calls sub-dissectors with the length of the UDP payload. From packet-udp.c:

decode_udp_ports(tvb, offset, pinfo, tree, udph->uh_sport, udph->uh_dport, udph->uh_ulen);

Whether there's Ethernet padding present or not, your dissector won't know about it. In fact, your dissector won't even know if the UDP datagram was transmitted over Ethernet or some other link layer protocol.

edit flag offensive delete link more

Comments

cool, so how do I get this? dissector prototype is (tvbuff_t, packet_info, proto_tree, void*). I guess I'll have to cast the void* into something else...but what?

Florian Haradji gravatar imageFlorian Haradji ( 2018-06-14 14:27:17 +0000 )edit

ôk looking at the code it seems it is just the reported length of the tvbuff...

Florian Haradji gravatar imageFlorian Haradji ( 2018-06-14 15:04:12 +0000 )edit

You get the length from the tvb, in most cases using tvb_reported_length().

Maybe have another read through README.dissector, README.developer and friends?

cmaynard gravatar imagecmaynard ( 2018-06-14 15:06:15 +0000 )edit

I did, but it is not exactly crystal clear what "reported length" actually means...anyway like most of the time you find the answer looking at the code :) Thanks a lot for your help

Florian Haradji gravatar imageFlorian Haradji ( 2018-06-14 15:08:20 +0000 )edit

Well, there's reported length and captured length. The reported length is how much data should be in the buffer; the captured length is how much data is actually in the buffer. These values may be different due to such things as malformed packets or sliced packets (a snaplen was specified during capturing). In most cases, you want to use the reported length so Wireshark can tell you the packet was truncated or if it's malformed.

cmaynard gravatar imagecmaynard ( 2018-06-14 15:37:51 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-06-14 08:59:56 +0000

Seen: 563 times

Last updated: Jun 14 '18

Related questions

how to invert two bytes in lua script dissector ?

How do I get and display packet data information at a specific byte from the first byte?

why protocol is not showing as HTTP even though we sent http request ?

Adjusting Bit order and Endianess in LUA between Dissectors

How do I add "child item" to an item in the subtree?

PRP Dissector and FCS

Use a UDP payload dissector depending on ip addresses

Reuse (part of) a Wireshark Dissector

Heuristic dissector not called

How do I dissect multiple packets?