Discussion:
accessing field in IP header from L2TP dissector
alex volinsky
2008-07-18 02:58:37 UTC
Permalink
Hello everybody.

I'm adding DOCSIS DEPI dissector to Wireshark. The packet format is Ethernet/ IPv4 / L2TPv3/ DEPI.  To parse DEPI payload correctly, I need to know the packet length, which is obtained from IP header. One of the options is to set my data pointer 18 bytes back in the beginning of L2TPv3 header dissector, but I wonder if there is some function call to access a field ("ip.len")of IP dissector from another file ?

Thanks everybody

Alex Volinsky
Guy Harris
2008-07-18 03:21:43 UTC
Permalink
Post by alex volinsky
I'm adding DOCSIS DEPI dissector to Wireshark. The packet format is
Ethernet/ IPv4 / L2TPv3/ DEPI. To parse DEPI payload correctly, I
need to know the packet length, which is obtained from IP header.
Does the DEPI dissector need to know how big the *IP* packet is, or
just how big the *DEPI* packet is? I don't see anything obvious in

http://www.cablelabs.com/specifications/CM-SP-DEPI-I05-070223.pdf

to indicate that anything that reads the DEPI packet needs to care
about the length of the headers preceding the DEPI packet.

(In addition, note that you'd need to know how big the IPv4 header
is. Furthermore, at least as I read that spec, the packet format
could either be Ethernet/IPv4/L2TPv3/DEPI *OR* Ethernet/IPv4/UDP/
L2TPv3/DEPI, so the IP header length isn't sufficient, either.)
Post by alex volinsky
One of the options is to set my data pointer 18 bytes back in the
beginning of L2TPv3 header dissector,
That's not a valid option - your dissector gets handed a tvbuff that
is not guaranteed to provide access to any data other than the L2TP
tunnel payload. (The implementation might happen not to prevent you
from referring to data before the beginning of the tvbuff, but we make
no guarantee whatsoever that this will continue to work, and will
never make such a guarantee.)
Géraud Berthomier
2008-07-18 09:04:49 UTC
Permalink
Hello Alex Volinsky,

I think that you can have a look on the structure pinfo which have a
packet-info type.

Have a look in Wireshark/epan/packet-info.h

Good luck!

Byebye.
Post by alex volinsky
Hello everybody.
I'm adding DOCSIS DEPI dissector to Wireshark. The packet format is
Ethernet/ IPv4 / L2TPv3/ DEPI. To parse DEPI payload correctly, I need to
know the packet length, which is obtained from IP header. One of the options
is to set my data pointer 18 bytes back in the beginning of L2TPv3 header
dissector, but I wonder if there is some function call to access a
field ("ip.len")of IP dissector from another file ?
Thanks everybody
Alex Volinsky
_______________________________________________
Wireshark-dev mailing list
https://wireshark.org/mailman/listinfo/wireshark-dev
--
Cordialement,

Géraud Berthomier.
Luis EG Ontanon
2008-07-18 16:01:43 UTC
Permalink
He says the only interesting info there's in the IP header is the
length. If he needs it to calculate the length of the payload. There's
no need to access the IP header.The length of the payload data is
passed to the dissector intrinsically by the tvb (tvb->length).

L
On Fri, Jul 18, 2008 at 11:04 AM, Géraud Berthomier
Post by Géraud Berthomier
Hello Alex Volinsky,
I think that you can have a look on the structure pinfo which have a
packet-info type.
Have a look in Wireshark/epan/packet-info.h
Good luck!
Byebye.
Post by alex volinsky
Hello everybody.
I'm adding DOCSIS DEPI dissector to Wireshark. The packet format is
Ethernet/ IPv4 / L2TPv3/ DEPI. To parse DEPI payload correctly, I need to
know the packet length, which is obtained from IP header. One of the options
is to set my data pointer 18 bytes back in the beginning of L2TPv3 header
dissector, but I wonder if there is some function call to access a
field ("ip.len")of IP dissector from another file ?
Thanks everybody
Alex Volinsky
_______________________________________________
Wireshark-dev mailing list
https://wireshark.org/mailman/listinfo/wireshark-dev
--
Cordialement,
Géraud Berthomier.
_______________________________________________
Wireshark-dev mailing list
https://wireshark.org/mailman/listinfo/wireshark-dev
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
Guy Harris
2008-07-18 16:19:13 UTC
Permalink
Post by Luis EG Ontanon
He says the only interesting info there's in the IP header is the
length. If he needs it to calculate the length of the payload. There's
no need to access the IP header.The length of the payload data is
passed to the dissector intrinsically by the tvb (tvb->length).
Actually, you want tvb_reported_length(tvb), not tvb_length(tvb);
tvb_length(tvb) returns tvb->length, which is the amount of *captured*
data in the packet, not the total amount of data in the packet - the
amount of captured data could be less than the total amount of data,
due to the capture being done with a snapshot length (or with
"slicing" or whatever the application calls it). Dissectors should
almost always use the total length (reported length), so that they
throw an exception if they go past the end of the captured data, and
the packet details are marked as being incomplete (due to the snapshot
length).
alex volinsky
2008-07-18 16:47:05 UTC
Permalink
Does the DEPI dissector need to know how big the *IP* packet is, or 
just how big the *DEPI* packet is?  I don't see anything obvious in
    http://www.cablelabs.com/specifications/CM-SP-DEPI-I05-070223.pdf
to indicate that anything that reads the DEPI packet needs to care 
about the length of the headers preceding the DEPI packet.
DEPI works in two modes: D-MPT and PSP. In D-MPT mode, DOCSIS packets are encapsulated into MPEG2-TS fixed-size frames of 188 bytes. In one L2TPv3 payload, there could be from 1 to 7 MPEG2-TS frames. There is no length information in L2TPv3, so I'm looking into IP header.
(In addition, note that you'd need to know how big the IPv4 header 
is.  Furthermore, at least as I read that spec, the packet format 
could either be Ethernet/IPv4/L2TPv3/DEPI *OR* Ethernet/IPv4/UDP/
L2TPv3/DEPI, so the IP header length isn't sufficient, either.)
You are right. I need to account for possible UDP header.
Thanks for response,
Alex Volinsky

----- Original Message ----
From: Guy Harris <guy-FrUbXkNCsVf2fBVCVOL8/***@public.gmane.org>
To: Developer support list for Wireshark <wireshark-dev-IZ8446WsY0/***@public.gmane.org>
Sent: Thursday, July 17, 2008 8:21:43 PM
Subject: Re: [Wireshark-dev] accessing field in IP header from L2TP dissector
I'm adding DOCSIS DEPI dissector to Wireshark. The packet format is 
Ethernet/ IPv4 / L2TPv3/ DEPI.  To parse DEPI payload correctly, I 
need to know the packet length, which is obtained from IP header.
Does the DEPI dissector need to know how big the *IP* packet is, or 
just how big the *DEPI* packet is?  I don't see anything obvious in

    http://www.cablelabs.com/specifications/CM-SP-DEPI-I05-070223.pdf

to indicate that anything that reads the DEPI packet needs to care 
about the length of the headers preceding the DEPI packet.

(In addition, note that you'd need to know how big the IPv4 header 
is.  Furthermore, at least as I read that spec, the packet format 
could either be Ethernet/IPv4/L2TPv3/DEPI *OR* Ethernet/IPv4/UDP/
L2TPv3/DEPI, so the IP header length isn't sufficient, either.)
One of the options is to set my data pointer 18 bytes back in the 
beginning of L2TPv3 header dissector,
That's not a valid option - your dissector gets handed a tvbuff that 
is not guaranteed to provide access to any data other than the L2TP 
tunnel payload.  (The implementation might happen not to prevent you 
from referring to data before the beginning of the tvbuff, but we make 
no guarantee whatsoever that this will continue to work, and will 
never make such a guarantee.)
Guy Harris
2008-07-18 16:55:48 UTC
Permalink
Post by alex volinsky
DEPI works in two modes: D-MPT and PSP. In D-MPT mode, DOCSIS
packets are encapsulated into MPEG2-TS fixed-size frames of 188
bytes. In one L2TPv3 payload, there could be from 1 to 7 MPEG2-TS
frames. There is no length information in L2TPv3, so I'm looking
into IP header.
As per other mail, the tvbuff that your dissector is handed has its
own length information - in your dissector, call
tvb_reported_length(tvb) to find out how much data is in the portion
of the packet that your dissector is supposed to dissect.
alex volinsky
2008-07-18 17:04:25 UTC
Permalink
Actually, you want tvb_reported_length(tvb), not tvb_length(tvb); 
tvb_length(tvb) returns tvb->length, which is the amount of *captured* 
data in the packet,
Placed in the beginning of L2TPv3 dissector handler, both tvb_reported_length(tvb) and tvb_length(tvb) returned 196 bytes which correspond to 188 bytes of MPEG2-TS frame + 8 bytes of L2TPv3 header + L2 sublayer. So, tvb_reported_length() definitely does the job.
Thanks a lot,
Alex Volinsky


----- Original Message ----
From: Guy Harris <guy-FrUbXkNCsVf2fBVCVOL8/***@public.gmane.org>
To: Developer support list for Wireshark <wireshark-dev-IZ8446WsY0/***@public.gmane.org>
Sent: Friday, July 18, 2008 9:19:13 AM
Subject: Re: [Wireshark-dev] accessing field in IP header from L2TP dissector
He says the only interesting info there's in the IP header is the
length. If he needs it to calculate the length of the payload. There's
no need to access the IP header.The length  of the payload data is
passed to the dissector intrinsically by the tvb (tvb->length).
Actually, you want tvb_reported_length(tvb), not tvb_length(tvb); 
tvb_length(tvb) returns tvb->length, which is the amount of *captured* 
data in the packet, not the total amount of data in the packet - the 
amount of captured data could be less than the total amount of data, 
due to the capture being done with a snapshot length (or with 
"slicing" or whatever the application calls it).  Dissectors should 
almost always use the total length (reported length), so that they 
throw an exception if they go past the end of the captured data, and 
the packet details are marked as being incomplete (due to the snapshot 
length).

Loading...