Wireshark-dev: Re: [Wireshark-dev] dissecting bit
From: Brian Oleksa <oleksab@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 18 May 2011 11:27:56 -0400
ChrisYes.....my bytes are all little endian. The reason you see the mixture....is because when I was trying to dissect the 24 bit URN....if I put in TRUE then wireshark crashed. I tried FALSE for the heck of it and I at least got some output. This is the only reason you see the mixture. But my bytes are little endian.
So are you suggesting that since I cannot use proto_tree_add_bits_item() ....that I must start over from scratch and start with the version like the code below..?? I was able to get this to work......but since I am "hard-coding" the location of the bits (like for version it would be "0x0f" ) how am I supposed to get a variable size field..?? Or should I not be doing this..??
For Example: If I do the following:
//Version
proto_tree_add_item(vmf_sub_tree,hf_vmf_version, tvb, offset, 1,
FALSE);
//FPI
fpi = tvb_get_bits8(tvb, bit_offset, 1);
proto_tree_add_item(vmf_sub_tree,hf_vmf_fpi, tvb, offset, 1, FALSE);
if(fpi == 1)
{
//Data Compression type
proto_tree_add_item(vmf_sub_tree,hf_vmf_datacompressiontype, tvb,
offset, 1, FALSE);
}
//GPI
gpi = tvb_get_bits8(tvb, bit_offset, 1);
proto_tree_add_item(vmf_sub_tree,hf_vmf_gpi, tvb, offset,
1, FALSE);
{ &hf_vmf_version,
{ "Version", "vmf.version", FT_UINT8, BASE_DEC, NULL, 0x0f,
NULL, HFILL}},
{ &hf_vmf_fpi,
{ "FPI", "vmf.fpi", FT_UINT8, BASE_DEC, NULL, 0x10,
NULL, HFILL}},
{ &hf_vmf_gpi,
{ "GPI", "vmf.gpi", FT_UINT8, BASE_DEC, NULL, 0x80,
NULL, HFILL}},
Thanks for you help...!!
On 5/18/2011 11:06 AM, Chris Maynard wrote:
Brian Oleksa<oleksab@...> writes:I am trying to dissect bits but am running into a problem when bytes start to over lap (meaning the bit sets are not multiples of 8) For example: .... 0011 ...0 .... ..1. .... .1.. .... *The above 7 bits are being used. Now I need the next 24 bits for the next field. How to I get that last bit in the first octet and add it to the next 23 bits....????* Below is all the my current code base and screen shots. Also attached is the layout of the packet: Any help is greatly appreciated.A couple of things: 1) tvb_get_bits[16|32|64]() only work with consecutive bits; therefore you can't use proto_tree_add_bits_item(). 2) You seem to be using a mix of TRUE and FALSE as the endian argument to proto_tree_add_bits_item(), meaning a mix of little and big endian. I don't know if your bytes are little endian or not, but even if the bits were consecutive, until bug 4478 is resolved, tvb_get_bits[16|32|64]() do not support little endian, so you wouldn't be able to use it (yet). Assuming for the moment that your bytes are big endian and that the URN appears as follows: Byte 0 Byte 1 Byte 2 Byte 3 +-+-------+--------+--------+-------+-+ |U| + URN(23/24) | | +-+-------+--------+--------+-------+-+ ... then you can probably do something like the following *COMPLETELY UNTESTED* code: guint32 urn; urn = (((guint32)tvb_get_guint8(tvb, offset)<< 16)& 0x00800000) | ((tvb_get_guint24(tvb, offset + 1)>> 1)& 0x007FFFFF); ... then add it to the tree using: proto_tree_add_item(vmf_sub_tree, hf_vmf_urn, tvb, offset, 4, FALSE); ... where hf_vmf_urn is declared as something along the lines of: {&hf_vmf_urn, {"URN", "vmf.urn", FT_UINT32, BASE_DEC, NULL, 0x80FFFFFE, NULL, HFILL }}, ___________________________________________________________________________ Sent via: Wireshark-dev mailing list<wireshark-dev@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- [Wireshark-dev] dissecting bit
- From: Brian Oleksa
- Re: [Wireshark-dev] dissecting bit
- From: Chris Maynard
- [Wireshark-dev] dissecting bit
- Prev by Date: Re: [Wireshark-dev] dissecting bit
- Next by Date: Re: [Wireshark-dev] dissecting bit
- Previous by thread: Re: [Wireshark-dev] dissecting bit
- Next by thread: Re: [Wireshark-dev] dissecting bit
- Index(es):