Coming back on this and how to solve it, here's a suggestion I have, let me know what you guys think :
- Whenever a field is really a helper rather than the actual parsed data (an alternate representation of data in the packet for example, here tcp.payload would be the alternate representation of the data parsed in the following layers) mark the field as FI_GENERATED, or create a new flag for helper fields and mark them as such In the case here, tcp.payload would stay under tcp, but flagged as FI_GENERATED or FI_HELPER (or whatever we'd call the flag). The NTLMSSP cases further in the list I gave has a similar case, where an FT_STRING field is present as a helper so the person looking at the parsed packet immediately sees what the offset/length of the string correspond to, but the string it represents is data located in a very different position in the packet and which already has another field representing it. Adding a flag has the advantage that automation can easily identify these fields and act accordingly (for example to ignore them). Thoughts ? -----Original Message----- From: Wireshark-dev [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Sultan, Hassan via Wireshark-dev Sent: Wednesday, August 02, 2017 2:09 PM To: Developer support list for Wireshark <wireshark-dev@wireshark.org> Cc: Sultan, Hassan <sul...@amazon.com> Subject: Re: [Wireshark-dev] Hierarchy of fields & offsets again, more potential offenders So if this needs to be fixed, but we can't change the tcp protocol length, nor move tcp.payload to the top-level, what are the options left ? My personal view is towards being able to process the information in an automated manner. I'd personally strive for some type of consistency, but I'm not sure what the options are here. > -----Original Message----- > From: Wireshark-dev [mailto:wireshark-dev-boun...@wireshark.org] On > Behalf Of Stig Bjørlykke > Sent: Wednesday, August 02, 2017 1:24 PM > To: Developer support list for Wireshark <wireshark-dev@wireshark.org> > Subject: Re: [Wireshark-dev] Hierarchy of fields & offsets again, more > potential offenders > > On Wed, Aug 2, 2017 at 10:03 PM, Sultan, Hassan via Wireshark-dev > <wireshark- d...@wireshark.org> wrote: > > Regarding tcp.payload, I don't think tcp.payload in itself has any > > problems. I > think the issue lies in tcp showing a length of 32 only, even though > it has tcp.payload as its child. > > The tcp.payload field was recently added, have a look at > https://code.wireshark.org/review/22374 > > I do agree that this is displayed wrong and should be fixed. > Increasing the length of the TCP header would be wrong because the > payload is dissected by upper protocols and does belong with the TCP > header. Putting it at top level would also be wrong because it's not a > protocol. > > > -- > Stig Bjørlykke > _________________________________________________________________ > __________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
