Alex Kirk wrote:
I'm certain I'm not the first person to have
come across this,
Why? Most protocols are, I suspect, not designed such that there's a
field that could be an IP address or a 4-byte integral count of IP
addresses without there being something earlier in the packet specifying
which it is, so perhaps you *are* the first person to have this requirement.
so pointers to existing docs that I may be missing would be
just as welcome as a quick "use this function."
There's no existing mechanism in Ethereal to determine whether an
arbitrary sequence of 4 bytes corresponds to an IP address or not.
For one thing, there's not necessarily any such mechanism possible. As
per my other message, if the field *only* contains host IP addresses,
not "I don't know what my IP address is yet, so I'm sticking this in as
a placeholder" values, or "this is an ancient BSD-style broadcast
address (with zeroes rather than ones, but we're talking *REALLY*
ancient, as in 'prior to 4.3BSD')" values, and the alternative is a
value that's an integral value, then, if the value is little-endian and
not likely to be too large, there's a heuristic that would probably
work, and if the value is big-endian, the chances that the upper N bits
of the address, for a sufficiently large value of "N", are all zero is
small, so a similar heuristic might work. However, if the field isn't
an integer, or if it isn't necessarily small, or if the field might
contain those "placeholder" IP addresses, the heuristic is less likely
to work.
For another thing, I'm not sure we've ever had a dissector that needed
this - by and large, a protocol will say "this field *is* an IP
address", either because the 4 bytes at a given offset are always an IP
address or always an IP address if present, or because a given TLV
always contains an IP address there, or....