I am trying to rewrite an existing dissector for a proprietary protocol that, in fact, is only a slight variation on a standard protocol that is supported by a builtin Wireshark dissector.
The proprietary frame begins with some special fields, followed by a normal frame of the standard protocol BUT the checksum at the end of the normal frame is recalculated to reflect the extra bytes at the beginning. So while I can easily write a small dissector that parses the initial extra fields (and have done so), I cannot simply pass the rest of the buffer to the builtin dissector since then the checksum will be wrong. My question is: What is the "right" way to fix that checksum in Wireshark? I've experimented with several strategies. The tvb_composite functions would appear to be ideal, but I can't get them to work for some reason. So at the moment I use tvb_memdup to put the data for the normal frame into an array, fix the bytes of the checksum, and then use tvb_new_real_data to create a new tvb to pass to the builtin dissector. That strategy mostly works: the builtin dissector dissects the right fields and doesn't complain about the checksum, but the display isn't quite right. When I select a field in the display tree, the wrong bytes are highlighted. I could fix that by figuring out what internal field of the tvb (or packet_info) needs to be tweaked... but the fact that I would have to do that tells me that maybe I'm not going about this the right way. Generally whenever I find myself needing to work around the Wireshark API, it means I'm using it wrong. ;) Those of you who are experienced Wireshark developers, what would you suggest? Thanks, b.
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
