Hi. With reference to this e-book chapter 8, page 430, Step 5: Create The Dissector, it is stated that "The tvb structure is used to extract and decode the data contained in each element of the packet." And "To acquire data from the packet, we used tvb_ get_ xxx functions." My question is, how is the actual process of extracting data from each element of the packet take place, like how is the element is inserted into the tvb structure? What functions are involved and if it's possible, please provide an example. Thank you for your time. Shuda. asked 03 Aug '11, 22:24 Shuda edited 04 Aug '11, 16:19 helloworld |
One Answer:
Elements are not added in the TVB structure; the TVB contains the raw bytes of the packet (from the wire). Dissectors then take these bytes and create a human presentation of it. They do this, typically, by calling proto_tree_add_item() (which takes the offset into the TVB and the length of the data as well as an hf field which describes the encoding of the data being retrieved). There are many other proto_tree_add_() functions, if more control over the presentation is desired. Data can be retrieved from the TVB using the tvb_get_() functions. For examples, see any of the dissectors in the Wireshark source code (in the epan/dissectors/ directory). answered 04 Aug '11, 06:10 JeffMorriss ♦ |
I see. Thanks for your reply! Really appreciate it. I will try to see the examples in the dissectors. =)