Wireshark-dev: Re: [Wireshark-dev] Reading from and writing back to tvbuff

From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Sat, 15 May 2010 00:09:12 -0600
On Wed, May 12, 2010 at 07:16:17PM +1000, Craig Bumpstead wrote:

> Is it ok to read from tvbuff, manipulate the string and write back to 
> it without messing up Wireshark??

No.

> I would like my proprietary protocol to show relevant information in 
> "Follow TCP Stream". All it shows at the moment is illegible hex. Is 
> it possible to write code for a dissector / interpreter for "Follow 
> TCP Stream"?

What about writing your own "Follow xxx" feature?  A while back, I put a 
lot of work into separating those functions and source code files into 
follow_ssl.[ch], follow_tcp.[ch] and follow_udp.[ch] along with 
follow_stream.[ch] for shared functionality.  Some is still in 
epan/follow.[ch].  It's not as cleaned up as I would like, but it should 
help make it easier.

Follow TCP and UDP take straight text, whereas Follow SSL decrypts the 
data first.  Your addition could decrypt or do whatever you need to to 
the data and then display it. Let us know if you need some explaination 
on the current following clode.


-- 
Steve