This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it advisable to change the tvb from a dissector. Say I have some encrypted data which I recieve in a tvb. I do the necessary decryption now I want to store it.

Can I store this in the exsisitng tvb by using something like a tvb_get_pointer() and others and doing a memcpy instead of a creating new tvb using tvb_new_child_real_data() and others then passing it on for further dissection?

Please advise on which is the preferred way.

Thanks, Koundi

asked 23 Oct '16, 23:13

koundi's gravatar image

koundi
9791119
accept rate: 0%

edited 24 Oct '16, 06:50

sindy's gravatar image

sindy
6.0k4851


You should never go and write to the backing store of the TVB, simply because you don't know how it is composed. The only valid way to get decrypted data into a TVB is to use the tvb_new_child_real_data() function you found.

permanent link

answered 24 Oct '16, 02:18

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

edited 24 Oct '16, 06:00

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

Those were my first instincts too :) So basically I will create a new tvbuff and pass it on for further dissection. Thanks @Jaap.

(24 Oct '16, 04:40) koundi
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×31
×13

question asked: 23 Oct '16, 23:13

question was seen: 1,122 times

last updated: 24 Oct '16, 06:50

p​o​w​e​r​e​d by O​S​Q​A