This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Network Byte and Host Byte Order Display formats

0

Hi,

I have been facing this issue for a very long time. I have a field (an integer) which is 00 00 24 20 in the byte stream. When I try to display it as decimal in my dissector, it shoes an incorrect value. That is because I want the dissector to take the value as 02 24 00 00 instead. Basically, I want the reverse order.

How to display in that way?? How to use htonl/ntohl etc in the code.

Help Please..!!!

Thanks

asked 26 Jul '11, 04:43

sidharth's gravatar image

sidharth
1222
accept rate: 0%

One Answer:

0

From doc/README.developer:

guint16 tvb_get_letohs(tvbuff_t*, gint offset);

guint32 tvb_get_letoh24(tvbuff_t*, gint offset);

guint32 tvb_get_letohl(tvbuff_t*, gint offset);

guint64 tvb_get_letoh40(tvbuff_t*, gint offset);

guint64 tvb_get_letoh48(tvbuff_t*, gint offset);

guint64 tvb_get_letoh56(tvbuff_t*, gint offset);

guint64 tvb_get_letoh64(tvbuff_t*, gint offset);

Also: see the final 'encoding' argument of proto_tree_add_item() as described in README.developer

Note well (again from README.developer):

Don't fetch a little-endian value using "tvb_get_ntohs() or "tvb_get_ntohl()" and then using "g_ntohs()", "g_htons()", "g_ntohl()", or "g_htonl()" on the resulting value - the g_ routines in question convert between network byte order (big-endian) and host byte order, not little-endian byte order; not all machines on which Wireshark runs are little-endian, even though PCs are. Fetch those values using "tvb_get_letohs()" and "tvb_get_letohl()".

answered 26 Jul '11, 07:04

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

Hi Bill, Thanks for the reply but not all my problems were solved, unfortunately :(

I have a field as size with byte stream showing 03 00 00 00. It is a unsigned integer. In my code I donot apply any transformation on it. I just register in the function as FT_UINT32 and display as BASE_DEC. When I use proto_tree_add_item to add it to the tree (Encoding as False) it shows up as 3. Which is great as I have 3 nodes in the cluster. So that part is fine.

Next I want to display these nodes in a loop (one by one). So I use a loop like

while(i < size)

There size value is not taken as 3 but intead as some huge number it seems.

So I applied : size = tvb_get_letohl(tvb,offset);

size=g_ntohl(size);

and then I am using size in the while loop hoping that its value is taken as 3.

But it does not work still.

Please HELP here..!! URGENT..!!!

Sidharth

(27 Jul '11, 01:38) sidharth

Skip the size=g_ntohl(size); That is what the note Bill quoted told you NOT to do.

(27 Jul '11, 02:05) Jaap ♦

If you're using FALSE with proto_tree_add_item(i.e., specifying Big-Endian aka Network-Order) and the value displays as "3" then I'm confused.

A "byte stream" of "03 00 00 00" treated as Big-Endian will not display as "3". Are you using the correct offset when accessing the field ?

(27 Jul '11, 07:39) Bill Meier ♦♦