Wireshark-dev: Re: [Wireshark-dev] newbie question about dissecting protocol with many message

From: Andrew Schweitzer <a.schweitzer.grps@xxxxxxxxx>
Date: Sat, 02 Sep 2006 18:11:13 -0400
Guy Harris wrote:

Does each of the 100 packet types have fields that appear in no other packet type? If so, then, yes, that's a lot of fields, but that's how we do it in other protocols.



Thanks. Is it possible to define multiple arrays of fields, or is it common practice to just make one big one? One array per message might actually fit quite nicely with the way we have one data structure per message in code (more or less).

Can you add a field list to a subtree?


What do you mean by "field array" and "field list"?

static hf_register_info hf[] = {
...
}

...

proto_register_field_array(proto_NEWPROTO, hf, array_length(hf));

"hf" is I meant.

Are we talking about each packet type having about 10 *different* fields, or 10 instances of the *same* field, e.g. a protocol with a request to get a list of IP addresses from the other machine and a reply containing the IP addresses wouldn't have "proto.reply.ip_addr_1", "proto.reply.ip_addr_2", "proto.reply.ip_addr_3", etc. fields, it'd just have several instances of "proto.reply.ip_addr".

Separate fields. Our protocol works more or less like this:
[Fixed size header
	msg_id
	following_data_length]
[data
	one packet OR

	count
	n fixed size packet OR
	
	count
	n variable size packet, each with their own length]

Each packet has something like 10 different fields. Often the first three - five fields are common and the rest are not.



I see that NBNS defines multiple protocols.


No, NBNS is one protocol, not multiple protocols.

The file named "packet-nbns.c" contains dissectors for multiple protocols, but that's for historical reasons, as the comment at the beginning of the file says; one could argue that there should be "packet-nbns.c" with the NBNS dissector, "packet-nbds.c" with the NBDS dissector, and "packet-nbss.c" with the NBSS dissector. Those are three different protocols, even though they're all defined by the same RFCs (1001 and 1002).



Got it.

Should I define a different protocol for each message type?


No.  You said "*a* proprietary protocol", so it's just one protocol.


That also seems excessive.


Not only would it be excessive, it would be the wrong thing to do.