Guy Harris <gharris@xxxxxxxxx> wrote:
} On Mon, May 28, 2001 at 11:59:36AM -0500, Patrick Hartling wrote:
} > I have been trying to add a dissector for a TCP-based protocol, but I
} > cannot seem to get Ethereal 0.8.18 to use it. I read README.developer and
} > have been comparing the code I wrote with that of other dissectors, but I
} > have hit a wall. The primary problems may be my inexperience with
} > Ethereal and the fact that the protocol I am dissecting uses port 6000,
} > the same as X11.
}
} That's arguably a bit of an error on the part of the protocol designer,
} if they explicitly chose 6000, unless it would *never* be the case that
} a machine running an X server would also run a server for that protocol.
There are a lot of problems with the protocol, but there is nothing I can
do about it. The machine it is running on will definitely never run an
X server, however.
} > When I load the dump (generated with snoop), Ethereal
} > thinks it is a collection of X11 packets.
}
} It's irrelevant what packet capture program generated the capture.
Okay, fine. I was just trying to provide as much information as I could.
} > When I try to decode it using
} > my dissector (through the Decode As ... menu option), the added protocol
} > isn't showing up in the list.
}
} It'll only show up if either
}
} 1) the dissector is registered, using "dissector_add", with the
} "tcp.port" dissector table (as a dissector for port 6000)
This is being done in the proto_reg_handoff_xxx() function for the
dissector.
} or
}
} 2) it's registered as a heuristic dissector with the "tcp"
} heuristic dissector table (which would make sense only if
} the protocol weren't given a specific port number *and* it
} were possible to identify all packets for that protocol by
} looking at the contents)
}
} or
}
} 3) it's registered as a conversation dissector with the "tcp"
} conversation dissector table.
}
} If you don't do one of those three, Ethereal has no way of knowing that
} the protocol in question runs atop TCP.
}
} > It does, however, appear in the dialog
} > showing all the decoding protocols. Is there something that I have to do
} > beyond calling proto_register_protocol() from my dissector's
} > proto_register_xxx() function?
}
} Yes, you have to do one of the three things listed.
I am, as noted above.
} > Would it help if I remove the X11 dissector?
}
} If you don't do 1), then removing the X11 dissector (or disabling it
} from the dialog showing all the decoding protocols) would only mean that
} traffic to or from port 6000 wouldn't be dissected at all, rather than
} being dissected as X11 traffic.
Okay, I was just asking...
-Patrick
Patrick L. Hartling | Research Assistant, VRAC
patrick@xxxxxxx | 2624 Howe Hall -- (515)294-4916
http://www.137.org/patrick/ | http://www.vrac.iastate.edu/