I have a example from my plugin if it may help:
unsigned char Ip_Buffer[2000];
/* Get the buffer bytes to decompress */
tvb_memcpy(tvb, Ip_Buffer, (*bitoffset)/8,lgpdubit/8);
/*
* Decompress it:
* Decompressed buffer is output in Op_Buffer,
* size of the decompressed buffer (in bit in this case) in
SizeInBits */
*/
rc = decompress(Ip_Buffer, lgpdubit - ((8-bitnb) % 8), &(Op_Buffer),
&O_SizeInBits);
/* Now re-setup the tvb buffer to have the new data */
next_tvb = tvb_new_real_data(Op_Buffer, O_SizeInBits/8,
O_SizeInBits/8);
tvb_set_child_real_data_tvbuff(tvb, next_tvb);
add_new_data_source(pInfoG, next_tvb, "Decompressed Data");
/* From here dissect next_tvb from offset 0 */
> On Fri, 7 Oct 2011 13:51:13 +0400, Max Dmitrichenko
> <dmitr...@gmail.com> wrote:
>> 2011/10/7 Marcel Haas <inf...@fh-worms.de>:
>>> And i have the next problem. Damn wireshark kick my ass :)
>>>
>>> I have some packets witch are compress witz zlib.
>>> I want to uncompress them.
>>> I read the dev-guid about transformed data but i dont have a clue.
>>> I were testing some stuff but with no good result.
>>> Can someone help me with that ?
>>
>> It is simple.
>> 1) You have to know the size of decompressed data, e.g. in
>> buffer_size variable.
>> 2) Alloc the buffer of needed size for it using e.g. se_alloc, e.g.
>> you have pointer to alloced buffer called buffer_ptr.
>> 3) Decompress you data into that buffer.
>> 4) call
>> child_tvb = tvb_new_child_real_data(current_tvb, buffer_ptr,
>> buffer_size, buffer_size);
>> 5) call
>> add_new_data_source(pinfo, child_tvb, "Decompressed Data");
>> 6*) Optionally you can dissect child_tvb as any usual TVB.
>>
>> In the GUI you'll get the decompressed data into another tab called
>> "Decompressed Data" or any other name you provide in step 5.
>>
>> --
>> Max
>>
>> ___________________________________________________________________________
>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
>> Archives: http://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>
>> mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
> hmm i dont get it at all .. my code looks like this :
>
> guint8 *buff;
> tvbuff_t *compress_tvb;
> int captured_size;
>
> captured_size=tvb_length_remaining(tvb, offset2); //I think that what u
> mean by 1
> buff= g_malloc(captured_size); // step 2 ?
> compress_tvb=tvb_new_real_data(buff,captured_size,captured_size);//
> step 4 ?
> tvb_set_free_cb(compress_tvb,g_free); // step
> 4 ?
> tvb_set_child_real_data_tvbuff(tvb,compress_tvb); // step
> 4 ?
> add_new_data_source(pinfo,compress_tvb,"Decompressed TVB"); //step 5
>
>
>
>
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
