Wireshark mailing list archives
Hierarchy of fields & offsets
From: "Sultan, Hassan via Wireshark-dev" <wireshark-dev () wireshark org>
Date: Tue, 25 Jul 2017 22:26:41 +0000
Hi, Looking at some of the parsed data in my trials, I am seeing odd things such as : format is : [ftenum] [offset] [name or abbrev] ([length]) : <content, either from the ftvalue or from interpreted raw bytes> FT_PROTOCOL 66 mysql(9) : FT_UINT24 66 mysql.packet_length(3) : 5 FT_UINT8 69 mysql.packet_number(1) : 0 FT_NONE 70 mysql.request(1) : 02 FT_UINT8 70 mysql.command(1) : 2 FT_STRING 71 mysql.schema(4) : test Notice how mysql.command and mysql.schema are in the hierarchy children of mysql.request, however mysql.request's length is only 1 byte. FT_BYTES 198 smb2.security_blob(120) : 60:76:06:06:2b:06:01:05:05:02:a0:6c:30:6a:a0:3c:30:3a:06:0a:2b:06:01:04:01:82:37:02:02:1e:06:09:2a:86:48:82:f7:12:01:02:02:06:09:2a:86:48:86:f7:1 2:01:02:02:06:0a:2a:86:48:86:f7:12:01:02:02:03:06:0a:2b:06:01:04:01:82:37:02:02:0a:a3:2a:30:28:a0:26:1b:24:6e:6f:74:5f:64:65:66:69:6e:65:64:5f:69:6e:5f:52:46:43:34:31:37:38:40:70:6c:65:61:73:65:5f:69:6 7:6e:6f:72:65 FT_UINT32 190 smb2.olb.offset(2) : 0x00000080 FT_UINT32 192 smb2.olb.length(2) : 120 FT_PROTOCOL 198 gss-api(120) : Notice how smb2.olb.offset & smb2.olb.length are under smb2.security_blob, but their offset starts at 190/192 while smb2.security_blob starts at 198 This is extremely confusing to say the least and it makes it very hard to interpret the data in an automated manner. Any reason why this is done in this way ? I would personally expect a "parent" field to have offset/length that are consistent with its children. Thanks, Hassan
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Hierarchy of fields & offsets Sultan, Hassan via Wireshark-dev (Jul 25)
- Re: Hierarchy of fields & offsets Guy Harris (Jul 25)
- Re: "[UNVERIFIED SENDER]Re: Hierarchy of fields & offsets Sultan, Hassan via Wireshark-dev (Jul 25)
- Re: Hierarchy of fields & offsets Guy Harris (Jul 25)
- Re: "[UNVERIFIED SENDER]Re: Hierarchy of fields & offsets Sultan, Hassan via Wireshark-dev (Jul 25)
- Re: "[UNVERIFIED SENDER]Re: Hierarchy of fields & offsets Guy Harris (Jul 25)
- Re: "[UNVERIFIED SENDER]Re: "[UNVERIFIED SENDER]Re: Hierarchy of fields & offsets Sultan, Hassan via Wireshark-dev (Jul 27)
- Re: "[UNVERIFIED SENDER]Re: Hierarchy of fields & offsets Sultan, Hassan via Wireshark-dev (Jul 25)
- Re: Hierarchy of fields & offsets Guy Harris (Jul 25)