Implementing a SNMP v1 decoder and working with some Wireshark captures, I can see that sometimes length field of a BER if coded with one byte and other times with two bytes.
Reading BER rules, if more significative bit is setted to 1, then the length value must be extended with next byte to represent values bigger than 255.
So, if firt byte is 0x81, and next byte is 0x9F, then the extended Length field should take the 0x9F value... OK
My question is: If second byte is 0x9F, the more significative bit is 1 again.
Wireshark only takes two bytes for this length.
Why in this case size of Length is only two bytes?
Length fields are restricted to 2 bytes?
Thanks.
According to the BER rule, the length field can be multiple bytes (much more than 2),
http://en.wikipedia.org/wiki/KLV
Length Field
Following the bytes for the Key are bytes for the Length field which will tell you how many bytes follow the length field and make up the Value portion. There are four kinds of encoding for the Length field: 1-byte, 2-byte, 4-byte and Basic Encoding Rules (BER). The 1-, 2-, and 4-byte variants are pretty straightforward: make an unsigned integer out of the bytes, and that integer is the number of bytes that follow.
BER length encoding is a bit more complicated but the most flexible. If the first byte in the length field does not have the high bit set (0x80), then that single byte represents an integer between 0 and 127 and indicates the number of Value bytes that immediately follows. If the high bit is set, then the lower seven bits indicate how many bytes follow that themselves make up a length field.
For example if the first byte of a BER length field is binary 10000010, that would indicate that the next two bytes make up an integer that then indicates how many Value bytes follow. Therefore a total of three bytes were taken up to specify a length.
"If second byte is 0x9F, the more significative bit is 1 again." Is that a question? Only the first byte in the bytes determines how many following bytes are used to determine the length. So you never need to care about the most significant bit of the second byte. Never.
How Wireshark represents the bytes is not very critical. Unless Wireshark shows you a wrong value for length, you should not pay much attention to it.