Ethereal-dev: Re: [Ethereal-dev] smb, dcerpc, having old-style dissector call a tvbuff one?
On Fri, Jul 20, 2001 at 01:55:56AM -0400, Todd Sabin wrote:
> I started looking at hooking up the SMB and dcerpc dissectors, but
> it's not at all clear how to get an old style dissector to call into a
> tvbuff style one.
See how "packet-smb-mailslot.c" does it.
> I hacked up a tvbuff_t in packet-smb-pipe.c similar to the way it was
> done in packet-gtp.c. I.e., allocated a new one, copied data from the
> packet data from smb, and then passed that along to dissect_dcerpc_cn.
You only do that if you are actually rearranging or modifying data
(rather than just slicing off a subset), e.g. removing a length field
from between protocol headers (as GTP is doing), or reassembling
multiple IP fragments (as the reassembly code in "reassemble.c" does),
or decrypting or decompressing data (as the ICQ and WCP dissectors do).
> It kinda worked. The summary lines look correct, however, the proto
> tree is missing the DCERPC part of the tree. Tracing in with gdb, it
> happens that in proto_tree_draw_node, find_notebook_page is failing
> for the dcerpc node.
Rearranging or modifying means that the data dissected by the target
dissector isn't just a slice of data from the raw frame; as such, a new
data source is created, so that you see more than one tab in the hex
pane, and you can select the raw frame data or the rearranged/modified
data (or, if you select a field, the appropriate data source is selected
for you).
> I'm guessing that what I've done isn't exactly the Right Thing. :)
Nope - you're just slicing some data off, rather than rearranging it or
modifying it, so you don't create a new data source.
Once the SMB dissector is tvbuffified, that'd be done with
"tvb_new_subset()"; for now, however, you have to do it with
"tvb_create_from_top()", as "packet-smb-mailslot.c" does.
