This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Changing the TVB in a dissector

0

Is it advisable to change the tvb from a dissector. Say I have some encrypted data which I recieve in a tvb. I do the necessary decryption now I want to store it.

Can I store this in the exsisitng tvb by using something like a tvb_get_pointer() and others and doing a memcpy instead of a creating new tvb using tvb_new_child_real_data() and others then passing it on for further dissection?

Please advise on which is the preferred way.

Thanks, Koundi

asked 23 Oct '16, 23:13

koundi's gravatar image

koundi
9791119
accept rate: 0%

edited 24 Oct '16, 06:50

sindy's gravatar image

sindy
6.0k4851

One Answer:

1

You should never go and write to the backing store of the TVB, simply because you don't know how it is composed. The only valid way to get decrypted data into a TVB is to use the tvb_new_child_real_data() function you found.

answered 24 Oct '16, 02:18

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

edited 24 Oct '16, 06:00

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

Those were my first instincts too :) So basically I will create a new tvbuff and pass it on for further dissection. Thanks @Jaap.

(24 Oct '16, 04:40) koundi