Hi Joey,
Le mar. 19 janv. 2021 à 23:35, Joey Salazar <jg...@protonmail.com> a écrit :
> On Tuesday, January 19, 2021 4:20 PM, Pascal Quantin wrote:
>
> Le mar. 19 janv. 2021 à 23:09, Joey Salazar <jg...@protonmail.com> a
> écrit :
>
>> Hi Pascal,
>> On Tuesday, January 19, 2021 11:19 AM, Pascal Quantin wrote:
>>
>> Hi Joey,
>>
>> Le mar. 19 janv. 2021 à 17:45, Joey Salazar via Wireshark-dev <
>> wireshark-dev@wireshark.org> a écrit :
>>
>>> Hi all,
>>>
>>> In commit 33af2649 [1] we can keep dissecting the contents of the req,
>>> adv, and res packets by setting
>>> while (plen > 0) { }
>>> either in `dissect_git_pdu()` or in `dissect_one_pkt_line()`, but for
>>> now in `dissect_git_pdu()` it'd be a bit messy, so wanted to ask for your
>>> feedback for getting `dissect_one_pkt_line()` to work properly first.
>>>
>>> As you can see in pcap 169 [2], it correctly parses the length of the
>>> first line as 0x0014 (20 bytes) until `0x0a`, then it's supposed to get the
>>> length of the next line by the first 4 hex bytes in that line, but instead
>>> of reading the length as 0x0018 (24 bytes) it's reading it as 0x0010 (16
>>> bytes), and anyways, this particular line's length actually is 59 bytes.
>>>
>>> Suggestions on how to approach this?
>>>
>>
>> So what is the code leading to this dissection? It does not seem to be
>> https://gitlab.com/joeysal/wireshark/-/commit/33af2649927cb5660d4aeb64b9a9e9a58a1823aa
>> as dissect_one_pkt_line() seem to read only one line
>>
>> Yes, the code on that commit is what gives the parsing of the screenshot.
>>
>
> So what mechanism is used to call dissect_one_plt_line() a second time?
> With only screenshots and no pcap / code to look at, we can hardly help.
>
> The code has already been provided. I confirm again that there hasn't been
> other lines added other than what's in that commit.
>
> Does it mean that packet-http.c calls your dissector per line? Please
> provide more info, or even better share the pcap if you want us to provide
> some help.
>
> Please find attached the pcap I'm using with the patch from the commit. As
> you can see, the way 167 and 255 are parsed is similar, but I'm referring
> specifically to 169 for now ("To-do" in line 121 will be for the cases
> where there's a 0000 terminator packet like the end of the first-line in
> 167) .
>
Unfortunately you did not share the associated TLS secret (or I missed it)
that would allow me to decrypt the session and test your dissector. Could
you send it?
Best regards,
Pascal.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
