Wireshark-dev: Re: [Wireshark-dev] accessing field in IP header from L2TP dissector

From: alex volinsky <alexice71@xxxxxxxxx>
Date: Fri, 18 Jul 2008 10:04:25 -0700 (PDT)
>Actually, you want tvb_reported_length(tvb), not tvb_length(tvb); 
>tvb_length(tvb) returns tvb->length, which is the amount of *captured* 
>data in the packet,
 
Placed in the beginning of L2TPv3 dissector handler, both tvb_reported_length(tvb) and tvb_length(tvb) returned 196 bytes which correspond to 188 bytes of MPEG2-TS frame + 8 bytes of L2TPv3 header + L2 sublayer. So, tvb_reported_length() definitely does the job.
 
Thanks a lot,
Alex Volinsky

----- Original Message ----
From: Guy Harris <guy@xxxxxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Sent: Friday, July 18, 2008 9:19:13 AM
Subject: Re: [Wireshark-dev] accessing field in IP header from L2TP dissector


On Jul 18, 2008, at 9:01 AM, Luis EG Ontanon wrote:

> He says the only interesting info there's in the IP header is the
> length. If he needs it to calculate the length of the payload. There's
> no need to access the IP header.The length  of the payload data is
> passed to the dissector intrinsically by the tvb (tvb->length).

Actually, you want tvb_reported_length(tvb), not tvb_length(tvb); 
tvb_length(tvb) returns tvb->length, which is the amount of *captured* 
data in the packet, not the total amount of data in the packet - the 
amount of captured data could be less than the total amount of data, 
due to the capture being done with a snapshot length (or with 
"slicing" or whatever the application calls it).  Dissectors should 
almost always use the total length (reported length), so that they 
throw an exception if they go past the end of the captured data, and 
the packet details are marked as being incomplete (due to the snapshot 
length).
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev