Hi,
Looking at some of the parsed data in my trials, I am seeing odd things such as
:
format is :
[ftenum] [offset] [name or abbrev] ([length]) : <content, either from the
ftvalue or from interpreted raw bytes>
FT_PROTOCOL 66 mysql(9) :
FT_UINT24 66 mysql.packet_length(3) : 5
FT_UINT8 69 mysql.packet_number(1) : 0
FT_NONE 70 mysql.request(1) : 02
FT_UINT8 70 mysql.command(1) : 2
FT_STRING 71 mysql.schema(4) : test
Notice how mysql.command and mysql.schema are in the hierarchy children of
mysql.request, however mysql.request's length is only 1 byte.
FT_BYTES 198 smb2.security_blob(120) :
60:76:06:06:2b:06:01:05:05:02:a0:6c:30:6a:a0:3c:30:3a:06:0a:2b:06:01:04:01:82:37:02:02:1e:06:09:2a:86:48:82:f7:12:01:02:02:06:09:2a:86:48:86:f7:1
2:01:02:02:06:0a:2a:86:48:86:f7:12:01:02:02:03:06:0a:2b:06:01:04:01:82:37:02:02:0a:a3:2a:30:28:a0:26:1b:24:6e:6f:74:5f:64:65:66:69:6e:65:64:5f:69:6e:5f:52:46:43:34:31:37:38:40:70:6c:65:61:73:65:5f:69:6
7:6e:6f:72:65
FT_UINT32 190
smb2.olb.offset(2) : 0x00000080
FT_UINT32 192
smb2.olb.length(2) : 120
FT_PROTOCOL 198 gss-api(120) :
Notice how smb2.olb.offset & smb2.olb.length are under smb2.security_blob, but
their offset starts at 190/192 while smb2.security_blob starts at 198
This is extremely confusing to say the least and it makes it very hard to
interpret the data in an automated manner. Any reason why this is done in this
way ? I would personally expect a "parent" field to have offset/length that are
consistent with its children.
Thanks,
Hassan
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
