Wireshark-dev: Re: [Wireshark-dev] Philosophy around displaying all the fields in a capture

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: John Thacker <johnthacker@xxxxxxxxx>
Date: Mon, 27 Jun 2022 14:39:20 -0400

On Mon, Jun 27, 2022, 12:20 PM Martin Mathieson via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:
I have wondered before if a post-dissector could see skipped/overlapping fields and highlight them.

More likely, it could be an interesting project (for me, anyway) to play with a tool to:
- produce details of dissection (e.g. tshark -> PDML)
- walk the details of the fields, and look for discontinuities or overlaps in byte/bit coverage
- produce output that makes some kind of sense
      - I expect there'll be some obvious types of exceptions that will need to be filtered out, but when I think about the kinds of bugs I make in my private quick-and-dirty dissectors, this kind of coverage checking would be useful to me

The "incomplete_dissectors_check" preferences do that for skipped bytes and puts an expert item in the tree or writes to the console. Overlaps are probably more difficult for false positives, but the existing preferences are useful for debugging in the situation you mention.

https://gitlab.com/wireshark/wireshark/-/blob/master/epan/prefs.c#L3715 

https://gitlab.com/wireshark/wireshark/-/blob/master/epan/prefs.c#L3508

John