Wireshark · Ethereal-dev: Re: [Ethereal-dev] dissectors looking into lower layers

Ethereal-dev: Re: [Ethereal-dev] dissectors looking into lower layers

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Wed, 20 Feb 2002 12:34:26 -0800

On Wed, Feb 20, 2002 at 03:21:22PM -0500, packet steve wrote:
> Is there a preferred way for a dissector to grab information from a lower 
> protocol layer?

The preferred way is to have the lower protocol layer provide that
information to the higher protocol layer.

The "packet_info" structure has a "private_data" field to use for this
purpose.  It's a "void *"; a protocol dissector can set it to point to a
variable (which can be an automatic variable on the stack of the
dissector; the "packet_info" structure is *NOT* persistent so there is
*NOT* a requirement that the variable to which "private_data" points is
persistent).

See, for example, the TCP dissector, which sets it to point to a local
variable of type "struct tcpinfo", containing information such as

	the sequence number of the first byte of data (in the current
	CVS version of Ethereal, but not in 0.9.1);

	an indication of whether the data was reassembled or is just a
	raw TCP segment;

	an indication of whether the URG flag was set in the segment;

	if the URG flag was set, the value of the urgent pointer.

However:

> E.g., When a dissector needs to grab some information from 
> the udp header.

the only information in the UDP header is:

	the source port number;

	the destination port number;

	the length of the packet;

	the checksum;

and:

	the preferred way for a dissector to find out the source or
	destination port of a packet is to get it from *other* fields in
	the "packet_info" structure, namely:

		ptype - contains the type of the port numbers (PT_NONE
		if there are no port numbers, PT_SCTP for SCTP,	PT_TCP
		for TCP, PT_UDP for UDP, PT_NCP for a Netware NCP
		connection);

		srcport - the source port number;

		destport - the destination port number;

	the preferred way for the dissector to find out the length of
	the data handed to it is by calling "tvb_reported_length()" on
	the tvbuff it was handed (yes, "tvb_reported_length()", not
	"tvb_length()" - "tvb_length()" is the amount of data that
	happened to be captured, but there might have been more data in
	the packet).

What are you trying to do that you need information from the other
dissector?  There may already be a way of doing that with existing
mechanisms.

References:
- [Ethereal-dev] dissectors looking into lower layers
  - From: packet steve

Prev by Date: [Ethereal-dev] dissectors looking into lower layers
Next by Date: Re: [Ethereal-dev] dissectors looking into lower layers
Previous by thread: [Ethereal-dev] dissectors looking into lower layers
Next by thread: Re: [Ethereal-dev] dissectors looking into lower layers
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$