Wireshark Generic Dissector

Decoder could append more data than asked

Sometimes the encoding is done by block.
In this case, the decoder function could
  read the size "it wants" and
  append more data than asked.

The excess data will be used for the following fields.

Example : invert bytes 4 by 4

Decoding rule :
Take 4 bytes and invert them.

Decoding function :

# This decoder append more data than asked (except when nb_of_bits_needed%32 == 0).
function void  decode_invert_4_bytes (in frame  frame, in uint32   nb_of_bits_needed_uint)
{
  hide var int32   nb_of_bits_needed = nb_of_bits_needed_uint;
  while (nb_of_bits_needed > 0)
  {
    hide uint8   byte1;
    hide uint8   byte2;
    hide uint8   byte3;
    hide uint8   byte4;
    # simply invert the 4 bytes read
    call frame_append_data (frame, byte4);
    call frame_append_data (frame, byte3);
    call frame_append_data (frame, byte2);
    call frame_append_data (frame, byte1);
    set nb_of_bits_needed = nb_of_bits_needed - 32;
  }
}


Using decoding function

struct xxx
{
  uint8      field_before;  # decode_invert_4_bytes is not called
  
  decoder    decode_invert_4_bytes;
  uint16     field_a;       # decode_invert_4_bytes will be called with nb_of_bits_needed = 16
                            #  append 32 bits
                            #  16 bits are used immediately
                            #  16 bits remains
  enum8      field_b;       # decode_invert_4_bytes will NOT be called
                            #  use 8 bits of the 16 remaining bits
                            #  8 bits remains
  string(3)  field_c;       # decode_invert_4_bytes will be called with nb_of_bits_needed = 16
                            #  append 32 bits
                            #  which makes 40 bits available
                            #  24 bits are used immediately
                            #  16 bits remains
  enum16     field_d;       # decode_invert_4_bytes will NOT be called
                            #  use 16 bits of the 16 remaining bits
                            #  0 bits remains
  decoder    nil;

  uint16     field_after;   # decode_invert_4_bytes is not called
}

Example : decoder_aes (beta)

Decoding rule :
Decrypt aes
AES always use blocks of 16 bytes.

Decoding function skeleton :

# This decoder append more data than asked (except when nb_of_bits_needed%(16*8) == 0).
function void  decoder_aes (in frame  frame, in uint32   nb_of_bits_needed_uint)
{
  hide var int32   nb_of_bits_needed = nb_of_bits_needed_uint;
  while (nb_of_bits_needed > 0)
  {
    hide uint8[16]   bytes_crypted;

    # Decrypt the 16 bytes
    hide var uint8[16]   bytes_decrypted = 0;
    ...
	 
    # Append the 16 bytes decrypted
    call frame_append_data (frame, bytes_decrypted[0]);
    call frame_append_data (frame, bytes_decrypted[1]);
    ...
    call frame_append_data (frame, bytes_decrypted[14]);
    call frame_append_data (frame, bytes_decrypted[15]);

    set nb_of_bits_needed = nb_of_bits_needed - (16 * 8);
  }
}


decoder_aes is built-in.
Key (16/24/32 bytes) must be specified by ascii string variable "decoder_aes_key".
As encrypted data must always be multiple of 16 bytes block, you can have 0 to 15 padding bytes in the last block.
This is your responsability to read them.
If not, this padding bytes will be wrongly used for the next fields (instead of read input data).

CSS Template by Rambling Soul