How do I get and display packet data information at a specific byte from the first byte?

asked 2017-10-31 15:29:15 +0000

mest112
7 ●4 ●5 ●10

updated 2017-10-31 15:41:42 +0000

flag of United Kingdom of Great Britain and Northern Ireland

23835 ●4 ●976 ●227 https://www.wireshark.org

Hello, I am a beginner in Wireshark and dissector building, right now I'm just trying to figure out how to fetch and display packet data. I use the following lines in my dissect function:

guint val;
val = tvb_get_guint8(tvb, 1);
proto_tree_add_uint(masp_tree, hf_masp_data, tvb, 1, 1, val);

Here is an image of the results:

Expected result: 0x00

Actual result: 0x60

Why does fetching the data start from the 43rd byte instead of the very 1st one? How do I resolve this issue?

Thanks

edit retag flag offensive close merge delete

add a comment

0

answered 2017-11-02 19:28:58 +0000

grahamb

23835 ●4 ●976 ●227 https://www.wireshark.org

updated 2017-11-03 17:59:34 +0000

If your traffic is always over Ethernet you can use the pinfo->dl_dst structure and copy it into a local buffer with address_to_bytes(), e.g.

char myBuff[2];
address_to_bytes(pinfo->dl_dst, myBuff, 2);
char myByte = myBuff[1];

edit flag offensive delete link

add a comment

0

answered 2017-10-31 15:49:49 +0000

grahamb

23835 ●4 ●976 ●227 https://www.wireshark.org

The offset is due to the headers provided by the other parts of the frame, i.e. the Ethernet, IP and UDP headers. Note that by passing the 4th parameter to proto_tree_add_uint() as 1 you're asking for the byte at offset 1 in your tvb, i.e. the second byte in the UDP payload.

Presumably you have registered your dissector with the UDP dissector, hence the preceding items. The byte view shows the whole frame not just your application data.

It's not clear to me why you expect the result to be 0x00, which byte in the byte view are you expecting to read?

edit flag offensive delete link

Comments

Thanks for the answer, I was expecting the second byte (the one beside 01, in the top left corner). I'm aware that passing the 4th parameter as 1 in proto_tree_add_uint() would get me the byte at offset 1 in the tvb, it's just that I was expecting the tvb to start from 01 (the byte at the top left corner of byte view).

The offset is due to the headers provided by the other parts of the frame, i.e. the Ethernet, IP and UDP headers.

Any idea on how I can set this offset to 0?

mest112 ( 2017-10-31 16:22:57 +0000 )edit

The second byte you are referring to is part of the Ethernet payload, and is not part of the tvb corresponding to the UDP payload (the one that is being given to your dissector). The UDP payload starts at offset 0x2a, so the second byte is 0x60 as seen in your capture.

Why do you want to access the top tvb corresponding to the Ethernet frame?

Pascal Quantin ( 2017-10-31 16:29:22 +0000 )edit

It's for a project. Is there a way to access the top tvb corresponding to the Ethernet frame?

mest112 ( 2017-11-01 15:36:12 +0000 )edit

Do you need only the byte or will the Ethernet address do? If the latter, then the packet_info structure passed to your dissector has a member named dl_dst that holds the data link layer destination address.

grahamb ( 2017-11-02 11:37:52 +0000 )edit

I need only the byte

mest112 ( 2017-11-02 14:53:18 +0000 )edit

add a comment

How do I get and display packet data information at a specific byte from the first byte?

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

How do I get and display packet data information at a specific byte from the first byte? edit

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

How do I get and display packet data information at a specific byte from the first byte?