Wireshark mailing list archives
Re: Index of multiple protocol frames in one packet?
From: Anders Broman <anders.broman () ericsson com>
Date: Mon, 12 Oct 2015 16:31:38 +0000
From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Pascal Quantin Sent: den 12 oktober 2015 17:43 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Index of multiple protocol frames in one packet? 2015-10-12 17:35 GMT+02:00 Jeff Morriss <jeff.morriss.ws () gmail com<mailto:jeff.morriss.ws () gmail com>>: On 10/06/15 02:17, Pascal Quantin wrote: 2015-10-06 8:07 GMT+02:00 Petr Gotthard <petr.gotthard () centrum cz<mailto:petr.gotthard () centrum cz> <mailto:petr.gotthard () centrum cz<mailto:petr.gotthard () centrum cz>>>: Hello, Is there a way to distinguish multiple frames of the same protocol in one TCP/IP packet? I have several small AMQP frames which all fit into a single IP frame, so they share a single packet_info structure.When I call p_add_proto_data() for the second AMQP frame, it (obviously) overwrites data stored for the first frame, so I need to distibguish between them somehow. Is there a counter that would tell me "this is a third AMQP frame in this pinfo"? I found packet_info->curr_layer_num, but this is useful for nested frames (like IP in IP). Is there something similar for groupped frames, please? Hi Peter, I'm not sure we have such counter, but https://code.wireshark.org/review/#/c/10579/ suggested the use of tvb_raw_offset as key for p_(add|get)_proto_data() functions which seems a good tradeoff. Actually there is such a counter in frame_data: subnum. But it's not widely used: for now it's only used in EPL, RRC, and UMTS_FP. Thanks for the hint Jeff (I did not know this one). It appears that frame_data.c is only setting it to 0, and that increment need to be handled directly by dissectors. So it means that for a wider usage, (tcp|udp)_dissect_pdus() function (among others) should be modified so as to increment it when calling a new subdissector. Cheers, Pascal. Pinfo-> curr_layer_num is supposed to handle it I think but the problem may be to have the TCP/UDP/?/ Dissector call the same dissector again if the complete tvb wasn’t used. If the dissector itself is looping over the data it should probably use call_disector() or something rather than do an internal loop. Regards Anders
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Index of multiple protocol frames in one packet? Petr Gotthard (Oct 05)
- Re: Index of multiple protocol frames in one packet? Pascal Quantin (Oct 05)
- Re: Index of multiple protocol frames in one packet? Jeff Morriss (Oct 12)
- Re: Index of multiple protocol frames in one packet? Pascal Quantin (Oct 12)
- Re: Index of multiple protocol frames in one packet? Anders Broman (Oct 12)
- Re: Index of multiple protocol frames in one packet? Jeff Morriss (Oct 12)
- Re: Index of multiple protocol frames in one packet? Jeff Morriss (Oct 12)
- Re: Index of multiple protocol frames in one packet? Pascal Quantin (Oct 05)