Wireshark-dev: Re: [Wireshark-dev] dissecting bit
From: Brian Oleksa <oleksab@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 18 May 2011 14:55:25 -0400
Chris Thanks for the reply.It is good to know not to waste my time anymore with the proto_tree_add_bits_item() anymore.
I am looking for a starting point now.Knowing that all my bytes are little endian....what would be the best way to start dissecting my bytes..??
I have done this thus far: (I am heading in the right direction since I cannot use proto_tree_add_bits_item)...?? As you can see.... I am basically telling each field where the bits are located. But what happens when I come across a field that is variable length..??
Any help is greatly appreciated.
//Version
proto_tree_add_item(vmf_sub_tree,hf_vmf_version, tvb, offset, 1,
FALSE);
//FPI
fpi = tvb_get_bits8(tvb, bit_offset, 1);
proto_tree_add_item(vmf_sub_tree,hf_vmf_fpi, tvb, offset, 1, FALSE);
if(fpi == 1)
{
//Data Compression type
proto_tree_add_item(vmf_sub_tree,hf_vmf_datacompressiontype, tvb,
offset, 1, FALSE);
}
//GPI
gpi = tvb_get_bits8(tvb, bit_offset, 1);
proto_tree_add_item(vmf_sub_tree,hf_vmf_gpi, tvb, offset,
1, FALSE);
{ &hf_vmf_version,
{ "Version", "vmf.version", FT_UINT8, BASE_DEC, NULL, 0x0f,
NULL, HFILL}},
{ &hf_vmf_fpi,
{ "FPI", "vmf.fpi", FT_UINT8, BASE_DEC, NULL, 0x10,
NULL, HFILL}},
{ &hf_vmf_gpi,
{ "GPI", "vmf.gpi", FT_UINT8, BASE_DEC, NULL, 0x80,
NULL, HFILL}},
Thanks,
Brian
On 5/18/2011 11:06 AM, Chris Maynard wrote:
Brian Oleksa<oleksab@...> writes:I am trying to dissect bits but am running into a problem when bytes start to over lap (meaning the bit sets are not multiples of 8) For example: .... 0011 ...0 .... ..1. .... .1.. .... *The above 7 bits are being used. Now I need the next 24 bits for the next field. How to I get that last bit in the first octet and add it to the next 23 bits....????* Below is all the my current code base and screen shots. Also attached is the layout of the packet: Any help is greatly appreciated.A couple of things: 1) tvb_get_bits[16|32|64]() only work with consecutive bits; therefore you can't use proto_tree_add_bits_item(). 2) You seem to be using a mix of TRUE and FALSE as the endian argument to proto_tree_add_bits_item(), meaning a mix of little and big endian. I don't know if your bytes are little endian or not, but even if the bits were consecutive, until bug 4478 is resolved, tvb_get_bits[16|32|64]() do not support little endian, so you wouldn't be able to use it (yet). Assuming for the moment that your bytes are big endian and that the URN appears as follows: Byte 0 Byte 1 Byte 2 Byte 3 +-+-------+--------+--------+-------+-+ |U| + URN(23/24) | | +-+-------+--------+--------+-------+-+ ... then you can probably do something like the following *COMPLETELY UNTESTED* code: guint32 urn; urn = (((guint32)tvb_get_guint8(tvb, offset)<< 16)& 0x00800000) | ((tvb_get_guint24(tvb, offset + 1)>> 1)& 0x007FFFFF); ... then add it to the tree using: proto_tree_add_item(vmf_sub_tree, hf_vmf_urn, tvb, offset, 4, FALSE); ... where hf_vmf_urn is declared as something along the lines of: {&hf_vmf_urn, {"URN", "vmf.urn", FT_UINT32, BASE_DEC, NULL, 0x80FFFFFE, NULL, HFILL }}, ___________________________________________________________________________ Sent via: Wireshark-dev mailing list<wireshark-dev@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
- Follow-Ups:
- Re: [Wireshark-dev] dissecting bit
- From: Chris Maynard
- Re: [Wireshark-dev] dissecting bit
- References:
- [Wireshark-dev] dissecting bit
- From: Brian Oleksa
- Re: [Wireshark-dev] dissecting bit
- From: Chris Maynard
- [Wireshark-dev] dissecting bit
- Prev by Date: [Wireshark-dev] MS-BITS and MS-Branchcache parsers.
- Next by Date: [Wireshark-dev] buildbot failure in Wireshark (development) on OSX-10.5-PowerPC
- Previous by thread: Re: [Wireshark-dev] dissecting bit
- Next by thread: Re: [Wireshark-dev] dissecting bit
- Index(es):