Wireshark-dev: Re: [Wireshark-dev] Extract bytes from a tvbuff_t
Date: Sun, 26 May 2013 12:28:46 -0600
I did some digging into how the WireShark UI exports things and found a better way to write to disk:

guint8* ExtractedBytes;
int fp;

fp = ws_open("c:\\test.der", O_WRONLY|O_CREAT|O_TRUNC|O_BINARY, 0777);
ExtractedBytes = (guint8*)ep_tvb_memdup(tvb, offset, cert_length);
ws_write(fp, ExtractedBytes, cert_length);
ws_close(fp);

Now that I use ws_open and ws_write the bytes written to the disk match exactly with what I see in the UI.

Thanks,
Rion

On 2013-05-26 09:29, rion@xxxxxxxxxx wrote:
I found that this gives me the exact number of bytes I'm looking for:

fwrite(tvb, tvb_length(tvb), 1, fp);

Unfortunately, when I check the resulting file in a hex editor the
bytes don't match up with what I see in the WireShark UI.

In the UI I see (Partial):

16 03 01 00 39 02 00 00 35 03 01 51 a2 28 a1 19 75 ae ac 53 4f 36 a8 81 62 48

In the File I see (Partial):

f0 a5 05 05 d0 6b fa 04 01 00 00 00 01 00 00 00 00 00 00 00 70 6e fa 04 d0 6b

I checked the end of the file to see if the bytes were 'backwards'
and they are not. I'm not quite sure what to do now- am I missing
something obvious?

Rion

On 2013-05-25 21:58, Rion Carter wrote:
Thank you! I've been in C# for too many years. I'll try that when I
get back to my desk.
Rion
Sent from my BlackBerry 10 smartphone.
FROM: ronnie sahlberg
SENT: Saturday, May 25, 2013 15:12 PM
TO: Developer support list for Wireshark
REPLY TO: Developer support list for Wireshark
SUBJECT: Re: [Wireshark-dev] Extract bytes from a tvbuff_t
fwrite(extracted, sizeof(extracted), 1, file)
extracted is a pointer so sizeof(extracted) is the size of pointers on
your platform. Often 4 on 32-bit platforms and 8 on 64-bit.
You need something like this :
fwrite(extracted, tvb_get_length(tvb, 0), 1, file)
On Sat, May 25, 2013 at 1:42 PM, Rion Carter <rion@xxxxxxxxxx> wrote:
Hi,
I'm trying to extract raw bytes from a tvbuff_t and am not having much luck. As a simple test I have code which tries to extract the bytes and write it to a file. When I compile and run I get an output file with only 4 bytes in
it when I know there is more (extracting certificates).
Here is what I've got. Any help is appreciated:
guint8* extracted = (guint8*)ep_tvb_memdup(tvb, 0, -1);
fwrite(extracted, size of extracted), 1, file);
It's been awhile since I used c file io, and I'm pretty new to Wireshark dev. I may be missing obvious or going about this in the wrong fashion.
Rion
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe