This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trying to fetch a signed integer with length 8

0

Hi,

I'm getting this warning on my decoded section of an item. "Expert Info (Warning/Malformed): Trying to fetch a signed integer with length 8"

As it is suggested I'm trying to add an item that is 8 bytes and i should use an unsigned int in order that the item is properly displayed. However I'm trying to use the proto_tree_add_uint64 but unsuccessfully.

This is my part of the code

proto_item *count_id = proto_tree_add_item(count_tree_, hf_map_pdu_eth_count, tvb, offset, 1, ENC_BIG_ENDIAN);
proto_tree *val = proto_item_add_subtree(count_id, ett_map);
offset += 1;
**proto_tree_add_item(val, hf_map_pdu_c_value, tvb, offset, 8, ENC_BIG_ENDIAN);**
offset += 8;

What is the approach when we want to display in DEC 8 bytes?

many thanks

asked 26 Jul '17, 01:37

gerolima's gravatar image

gerolima
6225
accept rate: 50%


One Answer:

0

Please double check hf_map_pdu_c_value definition and ensure that it is defined as FT_UINT64 and not (let's say) FT_INT32.

answered 26 Jul '17, 02:23

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

Hi,

Yes it's 64.

&hf_map_pdu_c_value, { "Counter value", "map.c_value", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }

(26 Jul '17, 04:09) gerolima

With such code, the error you are reporting cannot happen with the current development version. Are you building a plugin or an internal dissector? Which Wireshark version are you building with?

(26 Jul '17, 04:27) Pascal Quantin

No, I'm building a plugin. Sorry it's been a while since I started this project. I think it's 2.1.1 is there any way to verify the version to be sure?

(26 Jul '17, 05:44) gerolima

Except in some rare cases or if you just like living dangerously, you should really work with a stable release version, currently the latest stable release being 2.4.0.

You can check configure.ac for the version, for example:

$ head -n 10 configure.ac
#
# Autoconf script for Wireshark
#

Define variables for the components of the Wireshark version number.

m4_define([version_major], [2]) m4_define([version_minor], [4]) m4_define([version_micro], [0])

(26 Jul ‘17, 08:55) cmaynard ♦♦

FT_UINT64

That’s an unsigned 64-bit integer; if you want a signed 64-bit integer, you want FT_INT64.

(26 Jul ‘17, 10:53) Guy Harris ♦♦

So presumably you are building a plugin with a given version of Wireshark, and trying to run it with another version where the numerical value for FT_UINT64 corresponds to FT_INT8, FT_INT16 or FT_INT32. This is a very classic issue when building plugins. Wireshark API is not stable between major releases, so you need to recompile your plugin against the release you intend to use.

(26 Jul ‘17, 11:15) Pascal Quantin

Just to clarify, I just checked the version:

Define variables for the components of the Wireshark version number.

m4_define([version_major], [2]) m4_define([version_minor], [3]) m4_define([version_micro], [0])

So, each time there is a new major release I need to git pull the changes and re-compile the project? To be honest, I’m a bit afraid to mess with my dev environment, it took me a lot of effort to reach a stable state :)

(26 Jul ‘17, 22:51) gerolima

Using a plugin, you have no other choice. Note that 2.3.0 was a development snapshot, so API could change at anytime. Stable release always have an even minor version.

(26 Jul ‘17, 22:59) Pascal Quantin
showing 5 of 8 show 3 more comments