Wireshark-dev: Re: [Wireshark-dev] dissecting bit

From: Chris Maynard <chris.maynard@xxxxxxxxx>
Date: Wed, 18 May 2011 15:06:37 +0000 (UTC)
Brian Oleksa <oleksab@...> writes:

> I am trying to dissect bits but am running into a problem when bytes 
> start to over lap (meaning the bit sets are not multiples of 8)
> 
> For example:
> 
> .... 0011
> ...0 ....
> ..1. ....
> .1.. ....
> 
> *The above 7 bits are being used. Now I need the next 24 bits for the 
> next field. How to I get that last bit in the first octet and add it to 
> the next 23 bits....????*
> 
> Below is all the my current code base and screen shots. Also attached is 
> the layout of the packet:
> 
> Any help is greatly appreciated.

A couple of things:
1) tvb_get_bits[16|32|64]() only work with consecutive bits; therefore you can't
use proto_tree_add_bits_item().
2) You seem to be using a mix of TRUE and FALSE as the endian argument to
proto_tree_add_bits_item(), meaning a mix of little and big endian.  I don't
know if your bytes are little endian or not, but even if the bits were
consecutive, until bug 4478 is resolved, tvb_get_bits[16|32|64]() do not support
little endian, so you wouldn't be able to use it (yet).

Assuming for the moment that your bytes are big endian and that the URN appears
as follows:

 Byte 0     Byte 1   Byte 2   Byte 3
+-+-------+--------+--------+-------+-+
|U|       +       URN(23/24)        | |
+-+-------+--------+--------+-------+-+

... then you can probably do something like the following *COMPLETELY UNTESTED*
code:

guint32 urn;

urn = (((guint32)tvb_get_guint8(tvb, offset) << 16) & 0x00800000) |
((tvb_get_guint24(tvb, offset + 1) >> 1) & 0x007FFFFF);

... then add it to the tree using:
proto_tree_add_item(vmf_sub_tree, hf_vmf_urn, tvb, offset, 4, FALSE);

... where hf_vmf_urn is declared as something along the lines of:

    {&hf_vmf_urn,
     {"URN", "vmf.urn",
      FT_UINT32, BASE_DEC, NULL, 0x80FFFFFE, NULL, HFILL }},