I've to access 4 bytes of data from tvb (tvbuff_t *) passed in
dissect-protocolname() function.
I used 2 functions:
1. data = tvb_get_bits32(tvb, offset, 32, ENC_BIG_ENDIAN);
2. proto_tree_add_item(foo_tree, hf_foo_data, tvb, offset, 4, ENC_BIG_ENDIAN);
the returned value from the first function i'm displaying it using
proto_tree_add_uint(foo_tree, hf_foo_data1, tvb, offset, 4, data);
Both shows the different result in second display pane of wireshark. I'm not changing the offset too.
since offset does not change in both and both are accessing 4 bytes of data . Then Why do both show different result ?
I need 4 bytes of data in a variable to manipulate which first function is doing but returned value is not correct why ??
second function shows the correct decimal value of 4 bytes in display pane of wireshark whereas first does not, why ?
Is there any other function to access more than 1 byte of data(eg: 4 byte) ?
Thanks.
Because the second argument of
tvb_get_bits32()where you pass inoffsetneeds to be the offset in number of bits, not bytes; whereas the similar offset fourth argument forproto_tree_add_item()should be the number of bytes not bits.That's why the second argument in the declaration for
tvb_get_bits32()is called "bit_offset", not "offset".The idea is that when you want to extract/dissect specific bits from the tvbuf, then you'll likely want to start somewhere in the middle of a byte.
In your case, if you want all 32 bits from the byte boundary at
offset, then do this: