[Markku Leiniö <markku@xxxxxx>]

Hi all,

I'm currently writing a new C dissector for Zabbix protocol. My Lua 
dissector has already been available a few years in GitHub 
(https://github.com/markkuleinio/wireshark-zabbix-dissectors), but 
encouraged by the participation in improving the DHCPFO dissector I 
decided to try C coding a bit more. Python is my current language of 
choice, I have done some simple C over 20 years ago though.

Anyway, to the point. In Zabbix protocol header 
(https://www.zabbix.com/documentation/current/en/manual/appendix/protocols/header_datalen) 
the normal data length is 4-byte unsigned integer ("uint32"). However, 
there is a flag for large packets, used in specific Zabbix proxy 
configurations where the configuration sizes are over 4 GB, and in those 
cases the data length is 8-byte unsigned integer ("uint64"). (Plus it 
uses compression, and the specified maximum uncompressed packet size is 
currently 16 GB.)

In Wireshark the dissector functions use a signed integer ("gint", 
32-bit, right?) as the length and start/offset parameters.

Assuming that I would like to handle the full >2 GB protocol packets in 
Wireshark (I don't know how crazy or practical idea that would even be), 
how should that be done? For example, if I would like to give the user 
the possibility to right-click the huge JSON blob (in the Zabbix packet) 
and copy it to somewhere else for inspecting, what would I need to do to 
get past the 2 GB (signed 32-bit integer) limit?

I guess what I'm looking for is some guidance or discussion on how to 
handle such huge data cases when dissecting. Are there some dissectors 
that already deal with same kind of issues?

I'm already thinking about just adding some expert info (and doing no 
other dissection) if the header values indicate larger data than 2 GB, 
but I'm interested in the case anyway.

Markku Leiniö