Wireshark-dev: Re: [Wireshark-dev] dissecting bit

From: Brian Oleksa <oleksab@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 18 May 2011 14:55:25 -0400
Chris

Thanks for the reply.

It is good to know not to waste my time anymore with the proto_tree_add_bits_item() anymore.

I am looking for a starting point now.

Knowing that all my bytes are little endian....what would be the best way to start dissecting my bytes..??

I have done this thus far: (I am heading in the right direction since I cannot use proto_tree_add_bits_item)...?? As you can see.... I am basically telling each field where the bits are located. But what happens when I come across a field that is variable length..??

Any help is greatly appreciated.


     //Version
proto_tree_add_item(vmf_sub_tree,hf_vmf_version, tvb, offset, 1, FALSE);

     //FPI
     fpi = tvb_get_bits8(tvb, bit_offset, 1);
     proto_tree_add_item(vmf_sub_tree,hf_vmf_fpi, tvb, offset, 1, FALSE);

            if(fpi == 1)
            {
            //Data Compression type
proto_tree_add_item(vmf_sub_tree,hf_vmf_datacompressiontype, tvb, offset, 1, FALSE);
            }

            //GPI
            gpi = tvb_get_bits8(tvb, bit_offset, 1);
proto_tree_add_item(vmf_sub_tree,hf_vmf_gpi, tvb, offset, 1, FALSE);



        { &hf_vmf_version,
            { "Version", "vmf.version", FT_UINT8, BASE_DEC, NULL, 0x0f,
                NULL, HFILL}},
        { &hf_vmf_fpi,
            { "FPI", "vmf.fpi", FT_UINT8, BASE_DEC, NULL, 0x10,
                NULL, HFILL}},
        { &hf_vmf_gpi,
            { "GPI", "vmf.gpi", FT_UINT8, BASE_DEC, NULL, 0x80,
                NULL, HFILL}},

Thanks,
Brian



On 5/18/2011 11:06 AM, Chris Maynard wrote:
Brian Oleksa<oleksab@...>  writes:

I am trying to dissect bits but am running into a problem when bytes
start to over lap (meaning the bit sets are not multiples of 8)

For example:

.... 0011
...0 ....
..1. ....
.1.. ....

*The above 7 bits are being used. Now I need the next 24 bits for the
next field. How to I get that last bit in the first octet and add it to
the next 23 bits....????*

Below is all the my current code base and screen shots. Also attached is
the layout of the packet:

Any help is greatly appreciated.
A couple of things:
1) tvb_get_bits[16|32|64]() only work with consecutive bits; therefore you can't
use proto_tree_add_bits_item().
2) You seem to be using a mix of TRUE and FALSE as the endian argument to
proto_tree_add_bits_item(), meaning a mix of little and big endian.  I don't
know if your bytes are little endian or not, but even if the bits were
consecutive, until bug 4478 is resolved, tvb_get_bits[16|32|64]() do not support
little endian, so you wouldn't be able to use it (yet).

Assuming for the moment that your bytes are big endian and that the URN appears
as follows:

  Byte 0     Byte 1   Byte 2   Byte 3
+-+-------+--------+--------+-------+-+
|U|       +       URN(23/24)        | |
+-+-------+--------+--------+-------+-+

... then you can probably do something like the following *COMPLETELY UNTESTED*
code:

guint32 urn;

urn = (((guint32)tvb_get_guint8(tvb, offset)<<  16)&  0x00800000) |
((tvb_get_guint24(tvb, offset + 1)>>  1)&  0x007FFFFF);

... then add it to the tree using:
proto_tree_add_item(vmf_sub_tree, hf_vmf_urn, tvb, offset, 4, FALSE);

... where hf_vmf_urn is declared as something along the lines of:

     {&hf_vmf_urn,
      {"URN", "vmf.urn",
       FT_UINT32, BASE_DEC, NULL, 0x80FFFFFE, NULL, HFILL }},



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list<wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe