This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to use tvb_new_subset

0
1

I have a packet as A:12 bytes, B:20 bytes. C:16 bytes

In the dissector for B the whole tvb gets passed i.e. A, B, C. Now dissector for B calls dissector for C. C also handles the dissection of A. So in dissector B how will I use the tvb_new_subset.

Currently all I am seeing are examples like tvb_new_subset(tvb, 20, -1, -1)

But that would remove 12 bytes of A and 8 bytes of B. I want to remove 20 bytes of B only and pass it to C.

asked 12 Oct '15, 21:54

samprit's gravatar image

samprit
6467
accept rate: 0%

edited 12 Oct '15, 23:28


One Answer:

0

I have a packet as A:12 bytes, B:20 bytes. C:16 bytes

I.e., there's a 12-byte header for protocol A, followed by 36 bytes of payload for A, with the 36 bytes of payload for A having 20 bytes of header for B and 16 bytes of payload for B, and with the 16 bytes of payload for B being a packet for C?

In the dissector for B the whole tvb gets passed i.e. A, B, C.

That's not how it's supposed to work. The dissector for A is supposed to dissect the 12-byte header, and then use tvb_new_subset_remaining(tvb, 12) to get a tvbuff for the payload for A, and pass that to the dissector for B.

Now dissector for B calls dissector for C.

And it should then dissect the header for B, and then use tvb_new_subset_remaining(tvb, 20), where tvb here is the tvbuff handed to the dissector for B, to get a tvbuff for the payload for B, and pass that to the dissector for C.

C also handles the dissection of A.

That's not how it's supposed to work. Why cannot the dissector for A handle that?

answered 13 Oct '15, 01:54

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Actually there is no dissector for A. The dissector for A is being handled in the dissector for C. So I wanted to remove the 20bytes of B and pass it to C. Is there a way to remove the middle data fron tvbuff?

(13 Oct '15, 01:57) samprit

Is there a way to remove the middle data fron tvbuff?

No. Try not handling the dissector for A in the dissector for C, instead.

(13 Oct '15, 02:09) Guy Harris ♦♦

...Or handle dissection of C in the dissector of A... Then all you have to do is create a tvb subset of B and hand that off the the dissector for B.

(13 Oct '15, 06:06) Jaap ♦