Hi, I have a question regarding the difference between tvb_reported_length and tvb_captured_length. According to the discussion in https://www.wireshark.org/lists/wireshark-dev/201509/msg00016.html Wireshark-dev: Re: [Wireshark-dev] tvb_captured_length or tvb_reported_length?<https://www.wireshark.org/lists/wireshark-dev/201509/msg00016.html> So most of the time you are interested by reported length. But captured length is still useful for some specific use cases. For example in an heuristic dissector, when you are performing your tests to identify whether this is a packet for your protocol or not, you must ensure that the captured length is at least equal to the offset of the byte you want to access to. www.wireshark.org , the reported length should be used in most cases. Captured length should only be used in some specific use cases.
However, in the developer documentation "Adding a basic dissector" (https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html), the dissect_foo function returns tvb_captured_length. 9.2. Adding a basic dissector - Wireshark<https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html> The first decision you need to make is if this dissector will be a built-in dissector, included in the main program, or a plugin. Plugins are the easiest to write initially, so let’s start with that. www.wireshark.org It also looks like "return tvb_captured_length" is used more in the code than "return tvb_reported_length". Bruno Verstuyft Senior Testing and Software Engineer Excentis Gildestraat 8 9000 Gent - Belgium Tel: +32 9 269 22 91
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe