Wireshark-dev: [Wireshark-dev] Obtaining protocol offsets from dissection results
From: Eloy Paris <peloy@xxxxxxxxxx>
Date: Fri, 6 Jun 2008 01:00:25 -0400
Hello,
For each layer (protocol) in a packet I need to obtain the offset into
the packet. For example, for "eth:ip:icmp:data", the offsets would be:
eth: 0
ip: 14 (IP with no options)
icmp: 34 (ICMP echo request)
data: 42
I have been using the value of the "start" field of "struct field_info"
(epan/proto.h). However, I just found out that in some cases "start" can
be zero. For example, a packet with the following structure is giving me
a zero "start" for protocol "tcp", and offsets for the following layers
(telnet in this example), start counting from 0:
eth: 0
vlan: 14
ipv6: 18
tcp: 0
telnet: 20
What is causing field_info's "start" field to be zero is the presence of
an IPv6 fragmentation header (see below for packet details.)
The question is: is this normal behavior, and if so, is there some other
reliable way to obtain offsets into a packet from dissection results?
Thanks in advance for any suggestions.
Cheers,
Eloy Paris.-
netexpect.org
----------------------------------------------------------------------
No. Time Source Destination Protocol Info
532 124.395809 2001:db8:1:208::1047 2001:db8:1:208::20 TCP 1029 > 23 [SYN] Seq=192 Win=65535 Len=0
Frame 532 (90 bytes on wire, 90 bytes captured)
Arrival Time: May 27, 2008 15:27:19.862097000
[Time delta from previous captured frame: 0.002587000 seconds]
[Time delta from previous displayed frame: 124.395809000 seconds]
[Time since reference or first frame: 124.395809000 seconds]
Frame Number: 532
Frame Length: 90 bytes
Capture Length: 90 bytes
[Frame is marked: False]
[Protocols in frame: eth:vlan:ipv6:tcp]
[Coloring Rule Name: TCP SYN/FIN]
[Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: 0a:12:bc:34:ef:61 (0a:12:bc:34:ef:61), Dst: Cisco_b5:a4:1b (00:18:74:b5:a4:1b)
Destination: Cisco_b5:a4:1b (00:18:74:b5:a4:1b)
Address: Cisco_b5:a4:1b (00:18:74:b5:a4:1b)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 0a:12:bc:34:ef:61 (0a:12:bc:34:ef:61)
Address: 0a:12:bc:34:ef:61 (0a:12:bc:34:ef:61)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 909
000. .... .... .... = Priority: 0
...0 .... .... .... = CFI: 0
.... 0011 1000 1101 = ID: 909
Type: IPv6 (0x86dd)
Trailer: B1508EC3
Internet Protocol Version 6
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 28
Next header: IPv6 fragment (0x2c)
Hop limit: 255
Source: 2001:db8:1:208::1047 (2001:db8:1:208::1047)
Destination: 2001:db8:1:208::20 (2001:db8:1:208::20)
Fragmentation Header
Next header: TCP (0x06)
0000 0000 0000 0... = Offset: 0 (0x0000)
0 = More Fragment: No
Identification: 0x00000007
[IPv6 Fragments (20 bytes): #532(20)]
[Frame: 532, payload: 0-19 (20 bytes)]
Transmission Control Protocol, Src Port: 1029 (1029), Dst Port: 23 (23), Seq: 192, Len: 0
Source port: 1029 (1029)
Destination port: 23 (23)
Sequence number: 192
Header length: 20 bytes
Flags: 0x02 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0x3b1c [correct]
[Good Checksum: True]
[Bad Checksum: False]
- Follow-Ups:
- Prev by Date: Re: [Wireshark-dev] FW: Build Failure.Please help!!
- Next by Date: Re: [Wireshark-dev] Obtaining protocol offsets from dissection results
- Previous by thread: Re: [Wireshark-dev] FW: Build Failure.Please help!!
- Next by thread: Re: [Wireshark-dev] Obtaining protocol offsets from dissection results
- Index(es):