On Wed, Jun 4, 2014 at 12:12 PM, Kevin Cox <[email protected]> wrote:
> On 04/06/14 10:24, Anders Broman wrote: > > One option is to read the bytes from the tvb to a buffer manipulate the > bytes and make a new tvb with the manipulated bytes in the buffer and then > dissect that new tvb. > > Like uncompressing something and then dissect the content of the > uncompressed result.If it's just a few bytes that may not be feasible I > suppose. > > I tried this using tvb_new_child_real_data_ but the highlighted area in > wireshark seemed to be the first n bytes of the parent tvb. I don't > know how to link it back where the data actually came from. > > > If the encoded stuff really is a string "string coming from the wrong > place in the packet" you might want to add a new string encoding type and > add it as a string > > With ENC_MY_STRING_ENCODING. > > This is possible but I'm not sure it would be ideal. I will explain my > use case a bit more. > > I have a "blob" type in my protocol that has some metadata such as > length and type and I want to create a generic parser function that can > be used from multiple locations in my protocol. > > I'm thinking that the ideal output would contain an parent item of a > type passed into my function. This would have the value of the blob > content so it can be filtered on. However I want it to highlight the > whole source of the blob in the "packet view". > > Then this item would have expert children such as length, type and data > which would point to the actual pieces inside the structure. > > I can get most of this using a FT_NONE or text item with custom > formatting however that will leave me unable to filter the field. > If you're going to have a data subfield that is filterable, why do you need the parent item to be filterable as well? Wouldn't they have the exact same thing? Most Wireshark dissectors do not make the intermediate tree items filterable, only the "bottom"-level elements. Is this the best approach? Or would a different method be better. I > did a similar dissection of a string and am very pleased with the > output, however because the source and value lengths are tied together > for bytes objects I don't know how to implement it. > > Thanks, > Kevin > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected] > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
