This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi I am writing a dissector for a protocol which runs on top of UDP.

2 kinds of packets i can expect 1) with payload length 64Bytes 2) with payload length 16Bytes.

I want to identify packet based on this.

How can i do this? any example code is appreciated.

regards sandeep

asked 26 Oct '16, 05:08

sandyp's gravatar image

sandyp
6113
accept rate: 0%

What are you using for your dissector, C or Lua or something else? Are there any header bytes in your protocol that would allow you to differentiate on values rather than length?

(26 Oct '16, 05:32) grahamb ♦

@grahamb I am using C. There is no such thing in my protocol header that tells the size. But it is known that the server always sends 16byte message and client always sends 64byte message.... If we can parse source and destination address of UDP packet, that also should be fine.

(26 Oct '16, 22:22) sandyp

@sandyp Maybe you can register your dissector in the udp table to do a "decode-as" and then use tvb_captured_length() and use that check the length of the packet in order to process it some way?

(26 Oct '16, 22:48) koundi

You should use tvb_reported_length(), that will be the original packet size on the wire regardless of whether the capture sliced the packet.

You can get access to the source and destination addresses via the pinfo parameter to your dissection function. See epan/packet_info.h for all the members of pinfo.

permanent link

answered 26 Oct '16, 23:24

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

hi @grahamb wont using tvb_reported_length be a riskier move. If the packet is not complete then the dissector might run into exception if not very careful correct? Can you please tell us which is safer captured_length vs reported_length?

(27 Oct '16, 02:51) koundi
1

That's kind of the whole point of tvb's, they are a testable virtual buffer that safely handle attempts to access beyond their actual length.

In general, dissectors should use reported length, and if they do run off the end of the tvb, it will be correctly reported as a malformed packet.

(27 Oct '16, 03:46) grahamb ♦
1

You should use tvb_reported_length() to distinguish the two packet types, and may use tvb_captured_length to prevent trying to access data beyond the available buffer (which in itself isn't harmful, as the TVB access functions guard for that).

(27 Oct '16, 05:15) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×58
×31
×29
×8
×3

question asked: 26 Oct '16, 05:08

question was seen: 2,073 times

last updated: 27 Oct '16, 05:15

p​o​w​e​r​e​d by O​S​Q​A