Hi,
What's wrong with tvb_new_subset() ?
Thanks,
Jaap
Beth wrote:
I am trying to rewrite an existing dissector for a proprietary protocol
that, in fact, is only a slight variation on a standard protocol that is
supported by a builtin Wireshark dissector.
The proprietary frame begins with some special fields, followed by a
normal frame of the standard protocol BUT the checksum at the end of the
normal frame is recalculated to reflect the extra bytes at the
beginning. So while I can easily write a small dissector that parses
the initial extra fields (and have done so), I cannot simply pass the
rest of the buffer to the builtin dissector since then the checksum will
be wrong.
My question is: What is the "right" way to fix that checksum in Wireshark?
I've experimented with several strategies. The tvb_composite functions
would appear to be ideal, but I can't get them to work for some reason.
So at the moment I use tvb_memdup to put the data for the normal frame
into an array, fix the bytes of the checksum, and then use
tvb_new_real_data to create a new tvb to pass to the builtin
dissector. That strategy mostly works: the builtin dissector dissects
the right fields and doesn't complain about the checksum, but the
display isn't quite right. When I select a field in the display tree,
the wrong bytes are highlighted. I could fix that by figuring out what
internal field of the tvb (or packet_info) needs to be tweaked... but
the fact that I would have to do that tells me that maybe I'm not going
about this the right way. Generally whenever I find myself needing to
work around the Wireshark API, it means I'm using it wrong. ;)
Those of you who are experienced Wireshark developers, what would you
suggest?
Thanks,
b.
