OSQA is unmaintained. Help us figure out where to go from here.

How would I edit my custom dissector to make it decode bytes and display them as ASCII rather than hex or dec or any of the standard formats?

asked 31 Jul '12, 14:13

bball2601's gravatar image

bball2601
16567
accept rate: 50%


ASCII is a standard format - use a field of type FT_STRING or FT_UINT_STRING or FT_STRINGZ, with an encoding of ENC_ASCII.

permanent link

answered 31 Jul '12, 15:13

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335194
accept rate: 19%

I had tried that...when I used field types FT_STRING and FT_STRINGZ, nothing is displayed, and when I use FT_UNIT_STRING, I get an error saying: [Dissector bug, protocol PFCP: proto.c:1115: failed assertion "DISSECTOR_ASSERT_NOT_REACHED"]

I'm not sure if I possibly did something wrong. Here is my code dealing with this.

{ &hf_pfcp_ipAddressStr, { "PFCP IP Address String", "pfcp.ipAddressStr", FT_UINT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },

proto_tree_add_item(pfcp_tree, hf_pfcp_ipAddressStr, tvb, offset, 15, ENC_ASCII); offset += 15;

(01 Aug '12, 09:39) bball2601

OK, this is a bit confusing. FT_UINT_STRING is for "counted" strings, where the string has an integral count of characters, followed by the characters. The length you specify is the length in proto_tree_add_item() is the length of the count in bytes, and it has to be between 1 and 4 bytes. In addition, you have to specify the byte-order of the count (ENC_ASCII|ENC_BIG_ENDIAN or ENC_ASCII|ENC_LITTLE_ENDIAN), and to do the offset += N; you'd have to fetch the count yourself and add it to the offset.

So what format is the string in?

(01 Aug '12, 09:50) Guy Harris ♦♦

I'm sorry I'm new to all of this, what do you mean by "what format is the string in"? And I believe the field type I'm going to be wanting to use is FT_STRING, if that makes any difference.

(01 Aug '12, 10:07) bball2601

Is it:

  • 15 bytes of ASCII characters, and always 15 bytes long?

  • 0 to 15 bytes of ASCII characters, padded at the end with NULs (bytes with a value of 0);

  • an arbitrary number of ASCII characters, with a NUL at the end (so that it's not always 15 bytes long);

  • a 1-to-4-byte count of characters, followed by that number of ASCII characters (so that it's not always 15 bytes long);

  • something else?

(01 Aug '12, 10:15) Guy Harris ♦♦

Its 15 bytes of ASCII, always being 15 bytes. Its supposed to represent an IP address in the 000.000.000.000 format, each byte representing a digit or a period, always making it 15 bytes.

(01 Aug '12, 11:09) bball2601

So 127.0.0.1 would be represented as 127.000.000.001?

OK, then what should work is

{ &hf_pfcp_ipAddressStr, { "PFCP IP Address String", "pfcp.ipAddressStr", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },

and

proto_tree_add_item(pfcp_tree, hf_pfcp_ipAddressStr, tvb, offset, 15, ENC_ASCII); offset += 15;

If that doesn't work, file a bug - and attach a sample capture that exhibits the problem and your dissector code, if possible, as that would make it a lot easier to debug.

(01 Aug '12, 11:49) Guy Harris ♦♦

I finally got it working. The packets I was using I had individually created with another program, and it seems I created them wrong. Once I tested it with a proper packet, it decoded properly.

Thanks for all your help.

(06 Aug '12, 10:16) bball2601
showing 5 of 7 show 2 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×634
×87
×16

question asked: 31 Jul '12, 14:13

question was seen: 8,171 times

last updated: 05 Sep, 06:18

p​o​w​e​r​e​d by O​S​Q​A