Bytes Accessor in Wireshark in c

277 views Asked by At

I've to access 4 bytes of data from tvb (tvbuff_t *) passed in dissect-protocolname() function. I used 2 functions:
1. data = tvb_get_bits32(tvb, offset, 32, ENC_BIG_ENDIAN); 2. proto_tree_add_item(foo_tree, hf_foo_data, tvb, offset, 4, ENC_BIG_ENDIAN);
the returned value from the first function i'm displaying it using

proto_tree_add_uint(foo_tree, hf_foo_data1, tvb, offset, 4, data);

Both shows the different result in second display pane of wireshark. I'm not changing the offset too.
since offset does not change in both and both are accessing 4 bytes of data . Then Why do both show different result ?
I need 4 bytes of data in a variable to manipulate which first function is doing but returned value is not correct why ??
second function shows the correct decimal value of 4 bytes in display pane of wireshark whereas first does not, why ?
Is there any other function to access more than 1 byte of data(eg: 4 byte) ?

Thanks.

1

There are 1 answers

0
hadriel On

Because the second argument of tvb_get_bits32() where you pass in offset needs to be the offset in number of bits, not bytes; whereas the similar offset fourth argument for proto_tree_add_item() should be the number of bytes not bits.

That's why the second argument in the declaration for tvb_get_bits32() is called "bit_offset", not "offset".

The idea is that when you want to extract/dissect specific bits from the tvbuf, then you'll likely want to start somewhere in the middle of a byte.

In your case, if you want all 32 bits from the byte boundary at offset, then do this:

data = tvb_get_bits32(tvb, offset * 8, 32, ENC_BIG_ENDIAN);