Wireshark mailing list archives

Re: Fields offsets & tree hierarchy questions

From: "Sultan, Hassan via Wireshark-dev" <wireshark-dev () wireshark org>
Date: Fri, 14 Jul 2017 17:09:40 +0000

Nevermind the last question, that was me being dumb and fooled by the offset. They actually are under the http tree

-----Original Message-----
From: Wireshark-dev [mailto:wireshark-dev-bounces () wireshark org] On Behalf
Of Sultan, Hassan via Wireshark-dev
Sent: Friday, July 14, 2017 10:03 AM
To: wireshark-dev () wireshark org
Cc: Sultan, Hassan <sultah () amazon com>
Subject: [Wireshark-dev] Fields offsets & tree hierarchy questions

Hi everyone,

Sorry to bother you with might be beginner questions but... well... I'm a beginner
:)

In my quest to understand how Wireshark's parsing engine works I've written a
small wrapper that iterates through all parsed fields and displays them in the
following format :

[offset] [abbrev]([length]) : [value, which might be either my interpretation of
the bytes on the wire according to type/encoding info for the types I currently
support, or the ft_value of the field if it is present]

And for some packets I am getting :

66 http(319) :
        66 text(17) : 485454502F312E3120323030204F4B0D0A
                66 http.request.version(8) : HTTP/1.1
                75 http.response.code(3) : 200
                79 http.response.phrase(2) : OK
        83 http.response.line(44) : Access-Control-Allow-Headers: content-type

        127 http.response.line(32) : Access-Control-Allow-Origin: *

        159 http.content_encoding(24) : gzip
        183 http.content_type(32) : application/json
        215 http.date(37) : Thu, 13 Jul 2017 23:07:22 GMT
        252 http.server(19) : openresty
        271 http.response.line(23) : Vary: Accept-Encoding

        294 http.response.line(16) : X-Cache-Hit: 0

        310 http.response.line(29) : X-Frame-Options: SAMEORIGIN

        339 http.content_length_header(20) : 83
        359 http.connection(24) : keep-alive
        383 text(2) : 0D0A
        385 text(83) :
1F8B080000000000000305C1C10E80200800D07FE11C5B5349F2671A226E5D25
4EAD7FEFBD17C26D5DF7800647B72A3A0B4AE689599490B9EE483258E5A4222
9C1061EAAE60EED5961DF0FC6434ECF41000000
        0 http.file_data(65) : {"user_id":"6be7acf4-a38f-3ac5-8870-
5ad8ca954a22","success":true}
0 json(65) :
        0 json.object(65) :
0E1827559C340E664E8DFFAE0800450001C6999B4000EA06847F364D8BBFAC1F
02EB0050D864F3E601114594EC358018007DEF2500000101080A46DA716F0405
41
                1 json.member(48) :
1827559C340E664E8DFFAE0800450001C6999B4000EA06847F364D8BBFAC1F02
EB0050D864F3E601114594EC35801800
                        11 json.value.string(38) : 6be7acf4-a38f-3ac5-8870-5ad8ca954a22
                        1 json.key(9) : user_id
                50 json.member(14) : EF2500000101080A46DA716F0405
                        60 json.value.true(4) : 716F0405
                        50 json.key(9) : success

Which brings the following questions :

1) Am I right to assume there are absolutely no guarantee about the order of
fields reported by proto_tree_children_foreach in regard to offset within the
same tvb ? I'm looking at the json fields and the offsets of sub-fields are not
ordered. I guess the order is the order in which the fields were added to the tree
?
2) When looking at http.file_data(65), the field's offset is 0, relative to that
field's tvb which contains the decompressed data, is there any way to get the
position relative to the 'main' tvb representing the whole packet ? I couldn't find
one but maybe I'm missing something. http.file_data(65) represents
decompressed data so technically not present in the main tvb, but I was
wondering if there was a way to link it to the compressed data field it represents
(the "text(83)" field)
3) I'm curious to know why the "text(83)" field and "json.object(65)" fields are
not under the http tree, that's where I would have expected them to be

Thanks for your help,

Hassan
_________________________________________________________________
__________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Fields offsets & tree hierarchy questions Sultan, Hassan via Wireshark-dev (Jul 14)
- Re: Fields offsets & tree hierarchy questions Sultan, Hassan via Wireshark-dev (Jul 14)
- Re: Fields offsets & tree hierarchy questions Jeff Morriss (Jul 14)
  - Re: Fields offsets & tree hierarchy questions Sultan, Hassan via Wireshark-dev (Jul 14)
    - Re: Fields offsets & tree hierarchy questions Jeff Morriss (Jul 14)
    - Re: Fields offsets & tree hierarchy questions Sultan, Hassan via Wireshark-dev (Jul 14)