This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissecting structs in messages.

0

Hi I am building a protocol that is dissecting message traffic in our system. Now it's a flat solution but as several messages shares structs here and there I try to extract these to standalone dissectors. The problem I receive is that the headers need to be intact for the array_length to work. It does not include the subpart.

This is the default header.

static hf_register_info hf_af_guictrl_FunctionInformationChange_Ind[] =
{
  {
    &hf_af_guictrl_FuInCh_InFu_Gu11,
    {
      "guifunction", "guictrl.functioninformationchangeind.functionstate.guifunction",
      FT_UINT16, BASE_DEC, VALS(GuiCtrlFunction_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuInCh_InFu_Ac12,
    {
      "accesslevel", "guictrl.functioninformationchangeind.functionstate.accesslevel",
      FT_UINT8, BASE_DEC, VALS(GuiCtrlAccessLevel_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuInCh_InFuBu_Co131,
    {
      "button.component", "guictrl.functioninformationchangeind.functionstate.button.component",
      FT_UINT32, BASE_DEC, VALS(AFComponentID_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuInCh_InFuBu_St132,
    {
      "button.state", "guictrl.functioninformationchangeind.functionstate.button.state",
      FT_UINT32, BASE_DEC, VALS(GUICTRL_BUTTON_STATE_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuInCh_InFuBu_Co133,
    {
      "button.control", "guictrl.functioninformationchangeind.functionstate.button.control",
      FT_UINT32, BASE_DEC, VALS(GUICTRL_BUTTON_CONTROL_STATE_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuInCh_InFuTo_Co141,
    {
      "toggle.component", "guictrl.functioninformationchangeind.functionstate.toggle.component",
      FT_UINT32, BASE_DEC, VALS(AFComponentID_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuInCh_InFuTo_St142,
    {
      "toggle.state", "guictrl.functioninformationchangeind.functionstate.toggle.state",
      FT_UINT32, BASE_DEC, VALS(GUICTRL_TOGGLE_STATE_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuInCh_InFuTo_Co143,
    {
      "toggle.control", "guictrl.functioninformationchangeind.functionstate.toggle.control",
      FT_UINT32, BASE_DEC, VALS(GUICTRL_BUTTON_CONTROL_STATE_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuInCh_InFu_Co15,
    {
      "controlledbyfunction", "guictrl.functioninformationchangeind.functionstate.controlledbyfunction",
      FT_UINT16, BASE_DEC, VALS(GuiCtrlFunction_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuInCh_In_Si2,
    {
      "size", "guictrl.functioninformationchangeind.size",
      FT_UINT16, BASE_DEC, NULL, 0x0,
      NULL, HFILL
    }
  },
};

This is the extracted part:

static hf_register_info hf_af_guictrl_toggle_struct[]=
{
  {
    &hf_af_guictrl_FuIn_RsFuTo_Co1412,
    {
      "component", "guictrl.toggle.component",
      FT_UINT32, BASE_DEC, VALS(AFComponentID_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuIn_RsFuTo_St1422,
    {
      "state", "guictrl.toggle.state",
      FT_UINT32, BASE_DEC, VALS(GUICTRL_TOGGLE_STATE_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuIn_RsFuTo_Co1432,
    {
      "control", "guictrl.toggle.control",
      FT_UINT32, BASE_DEC, VALS(GUICTRL_BUTTON_CONTROL_STATE_type_name), 0x0,
      NULL, HFILL
    }
  },
};

This works for me now, but I have duplicated the header info about the toggle part that is a struct containing of 3 datatypes. If I try to remove these from the hf_af_guictrl_FunctionInformationChange_Ind I get the (guint)hfindex < gpa_hfinfo.len error. I dont want to duplicate the information but it seems to be the only way now as the proto_register_field_array(proto_af_guictrl, hf_af_guictrl_FunctionInformationChange_Ind, array_length(hf_af_guictrl_FunctionInformationChange_Ind)); seems to fail otherwise.

asked 23 Jun '11, 00:01

scrier's gravatar image

scrier
1111
accept rate: 0%


One Answer:

0

Hmm, tried the following subsetion:

  {
    &hf_af_guictrl_FuInCh_InFuBu_Co133,
    {
      "button.control", "guictrl.functioninformationchangeind.functionstate.button.control",
      FT_UINT32, BASE_DEC, VALS(GUICTRL_BUTTON_CONTROL_STATE_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_toggle_struct,
  },
/*  {
    &hf_af_guictrl_FuInCh_InFuTo_Co141,
    {
      "toggle.component", "guictrl.functioninformationchangeind.functionstate.toggle.component",
      FT_UINT32, BASE_DEC, VALS(AFComponentID_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuInCh_InFuTo_St142,
    {
      "toggle.state", "guictrl.functioninformationchangeind.functionstate.toggle.state",
      FT_UINT32, BASE_DEC, VALS(GUICTRL_TOGGLE_STATE_type_name), 0x0,
      NULL, HFILL
    }
  },
  {
    &hf_af_guictrl_FuInCh_InFuTo_Co143,
    {
      "toggle.control", "guictrl.functioninformationchangeind.functionstate.toggle.control",
      FT_UINT32, BASE_DEC, VALS(GUICTRL_BUTTON_CONTROL_STATE_type_name), 0x0,
      NULL, HFILL
    }
  },*/
  {
    &hf_af_guictrl_FuInCh_InFu_Co15,
    {
      "controlledbyfunction", "guictrl.functioninformationchangeind.functionstate.controlledbyfunction",
      FT_UINT16, BASE_DEC, VALS(GuiCtrlFunction_type_name), 0x0,
      NULL, HFILL
    }
  },

Still gives me the "(guint)hfindex < gpa_hfinfo.len" on line 1770 in proto.c How do you declare subsection without adding duplicates of the fields?

answered 26 Jun '11, 22:26

scrier's gravatar image

scrier
1111
accept rate: 0%