Wireshark mailing list archives

Re: Fields offsets & tree hierarchy questions

From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Fri, 14 Jul 2017 14:31:37 -0400

On Fri, Jul 14, 2017 at 2:01 PM, Sultan, Hassan via Wireshark-dev <
wireshark-dev () wireshark org> wrote:

-----Original Message-----
From: Wireshark-dev [mailto:wireshark-dev-bounces () wireshark org] On

Behalf

Of Jeff Morriss
Sent: Friday, July 14, 2017 10:49 AM
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] Fields offsets & tree hierarchy questions



On Fri, Jul 14, 2017 at 1:02 PM, Sultan, Hassan via Wireshark-dev

<wireshark-

dev () wireshark org <mailto:wireshark-dev () wireshark org> > wrote:

[...]


      2) When looking at http.file_data(65), the field's offset is 0,

relative to

that field's tvb which contains the decompressed data, is there any way

to get

the position relative to the 'main' tvb representing the whole packet ?

I couldn't

find one but maybe I'm missing something. http.file_data(65) represents
decompressed data so technically not present in the main tvb, but I was
wondering if there was a way to link it to the compressed data field it

represents

(the "text(83)" field)



I don't think so.  Only the HTTP dissector (and a human) know that the

dissector

created a new TVB out of data from the text(83) field.  There's no

linkage (that I

recall) between those 2 TVBs (unlike, say, subset TVBs).


I see. I'm trying to figure out how automation could make the difference
so it can ignore fields like this one that represent the same data as
another field.

One way would be to look for fields that contain an ft_value , though this
would mean some segments of the packet_data would be missing
(http.response.code being an example, there's no field without an ft_value
representing those bytes of the packet), or maybe ignore any field that has
offset 0 without being the top-level field ? It seems a bit hackish though.


Maybe there's a way by comparing proto_node->field_info->ds_tvb?  For such
packets there will be 2 (or more) TVBs.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Fields offsets & tree hierarchy questions Sultan, Hassan via Wireshark-dev (Jul 14)
- Re: Fields offsets & tree hierarchy questions Sultan, Hassan via Wireshark-dev (Jul 14)
- Re: Fields offsets & tree hierarchy questions Jeff Morriss (Jul 14)
  - Re: Fields offsets & tree hierarchy questions Sultan, Hassan via Wireshark-dev (Jul 14)
    - Re: Fields offsets & tree hierarchy questions Jeff Morriss (Jul 14)
    - Re: Fields offsets & tree hierarchy questions Sultan, Hassan via Wireshark-dev (Jul 14)