This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to Dissect a packet based on UDP payload size

0

Hi I am writing a dissector for a protocol which runs on top of UDP.

2 kinds of packets i can expect 1) with payload length 64Bytes 2) with payload length 16Bytes.

I want to identify packet based on this.

How can i do this? any example code is appreciated.

regards sandeep

asked 26 Oct '16, 05:08

sandyp's gravatar image

sandyp
6113
accept rate: 0%

What are you using for your dissector, C or Lua or something else? Are there any header bytes in your protocol that would allow you to differentiate on values rather than length?

(26 Oct '16, 05:32) grahamb ♦

@grahamb I am using C. There is no such thing in my protocol header that tells the size. But it is known that the server always sends 16byte message and client always sends 64byte message.... If we can parse source and destination address of UDP packet, that also should be fine.

(26 Oct '16, 22:22) sandyp

@sandyp Maybe you can register your dissector in the udp table to do a "decode-as" and then use tvb_captured_length() and use that check the length of the packet in order to process it some way?

(26 Oct '16, 22:48) koundi

One Answer:

0

You should use tvb_reported_length(), that will be the original packet size on the wire regardless of whether the capture sliced the packet.

You can get access to the source and destination addresses via the pinfo parameter to your dissection function. See epan/packet_info.h for all the members of pinfo.

answered 26 Oct '16, 23:24

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

hi @grahamb wont using tvb_reported_length be a riskier move. If the packet is not complete then the dissector might run into exception if not very careful correct? Can you please tell us which is safer captured_length vs reported_length?

(27 Oct '16, 02:51) koundi
1

That's kind of the whole point of tvb's, they are a testable virtual buffer that safely handle attempts to access beyond their actual length.

In general, dissectors should use reported length, and if they do run off the end of the tvb, it will be correctly reported as a malformed packet.

(27 Oct '16, 03:46) grahamb ♦
1

You should use tvb_reported_length() to distinguish the two packet types, and may use tvb_captured_length to prevent trying to access data beyond the available buffer (which in itself isn't harmful, as the TVB access functions guard for that).

(27 Oct '16, 05:15) Jaap ♦