Wireshark · Ethereal-dev: Re: [Ethereal-dev] a bug about rfcode filter when dissecting encrypted protocol

[Guy Harris <gharris@xxxxxxxxx>]

On Thu, Jun 20, 2002 at 11:09:41AM +0800, Buding Chen wrote:
>     However, there is a bug described below: After inputing some available
> filter in "Open Capture File" dialog box, the routine will do
> epan_dissect_run(...) in function read_packet(...) at file.c:799. Then the
> argument "buf" will be modified by encrypting protocol.

Ethereal does not support dissectors that modify the data in tvbuffs
handed to them; if doing so causes a problem, that's a bug in the
dissector, not in Ethereal.

Therre is a reason why "tvb_get_ptr()" returns a "const guint8 *", not a
"guint8 *" - callers of "tvb_get_ptr()" are not supposed to modify any
of the bytes in the region of memory pointed to by the return value of
"tvb_get_ptr()".  Compilers will probably give a warning or an error if
you attempt to compile code that modifies something pointed to by a
"const guint8 *"; it is an error to try to make the code compile by
casting the pointer to "guint8 *".

>     Dose any one have a better way to dissect encrypted protocol rather than
> using "(guint8 *)tvb_get_ptr(...)"?

Yes.

You allocate a buffer to hold the decrypted data, decrypt the data into
that new buffer, and then make a tvbuff that refers to the decrypted
data, and use that tvbuff.

See, for example, the routine "dissect_icqv5Client()" in "packet-icq.c",
which does

   rounded_size = ((((capturedsize - ICQ5_CL_SESSIONID) + 3)/4)*4) + ICQ5_CL_SESSIONID;
   decr_pd = g_malloc(rounded_size);

to allocate the new buffer, does

   tvb_memcpy(tvb, decr_pd, 0, capturedsize);
   decrypt_v5(decr_pd, rounded_size, key);

to copy the encrypted data to that buffer and decrypt it, does

   /* Allocate a new tvbuff, referring to the decrypted data. */       
   decr_tvb = tvb_new_real_data(decr_pd, capturedsize, pktsize);

to make a tvbuff that refers to that data, does

   /* Arrange that the allocated packet data copy be freed when the
      tvbuff is freed. */
   tvb_set_free_cb(decr_tvb, g_free);

to ensure that the allocated data will be freed when the tvbuff is
freed, does

   /* Add the tvbuff to the list of tvbuffs to which the tvbuff we
      were handed refers, so it'll get cleaned up when that tvbuff
      is cleaned up. */
   tvb_set_child_real_data_tvbuff(tvb, decr_tvb);

to arrange that the new tvbuff will be cleaned up when the tvbuff
containing the data used to generate it is cleaned up, does

   /* Add the decrypted data to the data source list. */
   add_new_data_source(pinfo, decr_tvb, "Decrypted");

to add that new tvbuff to the list of tvbuffs from which data in the
protocol tree for the current packet comes (that'll cause a new tab to
show up in the Ethereal GUI pane that shows hex data, so you can see
both the raw packet data and the decrypted data), and then uses
"decr_tvb" as the tvbuff from which to fetch decrypted data.