Wireshark-bugs: [Wireshark-bugs] [Bug 8239] Dissector for Microsofts SSTP VPN Protocol

Date: Mon, 21 Jan 2013 20:53:11 +0000

Comment # 21 on bug 8239 from
(In reply to comment #19)
> You may be able to use the
> "conversation API"
> mentioned in doc\README.developer, section 2.2.  Perhaps
> the logic should
> be (pseudocode):
>
> if first 4 bytes == "SSTP"
>   then
> create_conversation()
>   dissect_sstp()
>   return TRUE
> else if
> find_conversation("SSTP")
>   dissect_sstp()
>   return TRUE
> else
>  
> return FALSE
yes, but this only works if wireshark saw the one initial
> packet with the "SSTP" string as described above.
SSTP sessions that were
> already at an "established" state before the capture was started, would
> simply not be recognized as such and therefore not dissected.

That's where Decode As... comes in.  What should cover both scenarios is:

void
proto_reg_handoff_sstp(void)
{
   static dissector_handle_t sstp_handle; 

   sstp_handle = create_dissector_handle(dissect_sstp, proto_sstp);
   dissector_add_handle("tcp.port", sstp_handle);

   /* heur_dissect_sstp() function is algorithm described in comment #18 */
   heur_dissector_add("tcp", heur_dissect_sstp, proto_sstp);
}


OR

You can register the TCP port as a "preference".  Not sure if it should default
to 443 or 0.  I would lean towards 0 since it's not an IANA registered value. 
Numerous dissectors have examples on how to do this.


You are receiving this mail because:
  • You are watching all bug changes.