This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Constructing new tvbuff from other data

0

Can anyone suggest any examples of dissectors that combine two tvbs together? because I need to remove some unwanted data before processing. Also, if I remove the unwanted data from the tvb and pass that off to say the eth dissector for further processing would the "Packet Bytes" window be updated with the new tvb or will it display the previous one?

asked 16 Feb '13, 17:31

StealthUE's gravatar image

StealthUE
667713
accept rate: 100%

edited 16 Feb '13, 20:37

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Combining two tvbuffs doesn't remove data in and of itself.

Do you mean "taking some data from one tvbuff and some data from another tvbuff, and combining them into a third tvbuff"?

Or do you mean "taking one tvbuff, removing some data from it, and putting that into another tvbuff"?

(16 Feb '13, 19:19) Guy Harris ♦♦

taking one tvbuff, removing some data from it, and putting that into another tvbuff

(16 Feb '13, 19:50) StealthUE

So are you removing data from the middle of a tvbuff, or just from the beginning or the end?

(16 Feb '13, 20:38) Guy Harris ♦♦

The data I'm removing will be in the middle of the tvbuff

(16 Feb '13, 20:57) StealthUE

Hi @guy-harris Above you've asked if the question is "taking some data from one tvbuff and some data from another tvbuff, and combining them into a third tvbuff".

Actually, that is exactly the question I'm looking for an answer. (The only question I've posted few minutes ago.)

Could you please give an idea inside that post?

(16 May '13, 01:53) barisalis

@barisalis, see my answer in your question

(16 May '13, 02:10) SYN-bit ♦♦
showing 5 of 6 show 1 more comments

2 Answers:

1

Figured it out.. When returning the new_tvb I was trying to pass it back into the original tvb eg: tvb = escCharRemove(tvb, pinfo, len, esccharcount); which was causing it to crash it needed to passed into another tvbuff

answered 18 Feb '13, 19:21

StealthUE's gravatar image

StealthUE
667713
accept rate: 100%

1

Although complicated by various other aspects of the protocol the DNP3 dissector handles something along these lines as Application Layer (AL) messages have a 16 bit CRC every 16 bytes (chunk). The dissector takes the chunks, checks the CRC, and if OK adds them to a new tvb.

Have a look at the code following the comment /* extract the application layer data, validating the CRCs */ where tmp is the temporary buffer, tmp_ptr points into it, and each chunk is memcpy()'d into it. After all the chunks have been added and if all the CRC's are OK, a new tvb (al_tvb) is created containing the tmp buffer (using tvb_new_child_real_data).

As AL messages can be fragmented over many TCP or UDP packets, these tvb's are reassembled by the fragmentation code, and eventually end up in next_tvb. A separate hex pane window is created for this tvb using add_new_data_source and then the tvb is passed to the AL dissector in the call dissect_dnp3_al().

answered 17 Feb '13, 01:41

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

thanks. I'll have a look through it

(17 Feb '13, 14:58) StealthUE

need help! ive posted the code i have so far as the next answer cause i couldn't fit it in as a comment.

this is what im trying to achieve data in: xx xx xx xx FE FF xx xx data out: xx xx xx xx FF xx xx

(17 Feb '13, 18:33) StealthUE
static tvbuff_t* escCharRemove(tvbuff_t *tvb, packet_info *pinfo, guint data_len)
{
    tvbuff_t *new_tvb;
    int i;
    guint8 *tmp, *tmp_ptr;
    const guint8 *chk_ptr;
    int tmplen;

tmp = g_malloc(data_len);
tmp_ptr = tmp;

tmplen = tvb_length(tvb)-1;
for(i=0; i<tmplen; i+=2)
{
    if (tvb_get_guint8(tvb,i) == 0xFE && (tvb_get_guint8(tvb,i+1) == 0xFF || tvb_get_guint8(tvb,i+1) == 0xFE))
    {
        chk_ptr  = tvb_get_ptr(tvb, 0, i-1);
        memcpy(tmp_ptr, chk_ptr, i-1);
        tmp_ptr += i-1;
        chk_ptr  = tvb_get_ptr(tvb, i+1, tvb_length(tvb));
        memcpy(tmp_ptr, chk_ptr, tvb_length(tvb) - (i + 1));
        tmp_ptr += tvb_length(tvb) - (i + 1);
    }
}
new_tvb = tvb_new_child_real_data(tvb, tmp, (guint) (tmp_ptr-tmp), (gint) (tmp_ptr-tmp));
tvb_set_free_cb(new_tvb, g_free);

add_new_data_source(pinfo, new_tvb, "New message");
free(tmp_ptr);

return new_tvb;



}
(17 Feb ‘13, 18:33) StealthUE

data in: xx xx xx xx FE FF xx xx data out: xx xx xx xx FF xx xx

wireshark just crashes. Im guessing im accessing an illegal part of memory but im unable to find the error. Any help on this would be greatly appreciated as im stuck

(17 Feb ‘13, 22:19) StealthUE

len is equal to the length of the data without the extra bytes and esccharcount is the amount of extra bytes

static tvbuff_t* escCharRemove(tvbuff_t *tvb, packet_info *pinfo, gint len, gint esccharcount) /*Removes the extra FE bytes of data*/
{
tvbuff_t *new_tvb;
int offset = 0;
int i;
guint8 *tmp, *tmp_ptr;
const guint8 *chk_ptr;
gint totlen;


totlen = len + esccharcount;
tmp = g_malloc(len);
tmp_ptr = tmp;

for(i=0; i<totlen; i++)
{
    if (tvb_get_guint8(tvb,i) == 0xFE && (tvb_get_guint8(tvb,i+1) == 0xFF || tvb_get_guint8(tvb,i+1) == 0xFE))
    {
        chk_ptr  = tvb_get_ptr(tvb, offset, i-1);
        memcpy(tmp_ptr, chk_ptr, i-1);
        tmp_ptr += i;
        offset = i + 1;
    }
}
new_tvb = tvb_new_child_real_data(tvb, tmp, (guint) (tmp_ptr-tmp), (gint) (tmp_ptr-tmp));
tvb_set_free_cb(new_tvb, g_free);

add_new_data_source(pinfo, new_tvb, "New message");

return new_tvb;



}

its still giving me problems…deforming packets and crashing wireshark and displaying a memory map in the terminal

(18 Feb ‘13, 14:50) StealthUE

I adjusted the size I was using in g_malloc to g_malloc(len * sizeof(int)) and now Im not getting memory issues but every packet that contains the extra data becomes malformed and the extra data is still displayed in the “Packet Bytes” window

(18 Feb ‘13, 15:36) StealthUE
showing 5 of 6 show 1 more comments