Wireshark-dev: Re: [Wireshark-dev] Plugin development on Windows...

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Sun, 1 Oct 2006 18:51:42 +0200 (CEST)
Hi,

Register a dynamic RTP payload type with the RTP dissector table
"rtp_dyn_payload_type". Have a look at packet-rtp-event.c how this is
done.

Thanx,
Jaap

On Sun, 1 Oct 2006, Tobias Erichsen wrote:

> Hi Jaap,
>
> I have actually got the framework to run and I already have my
> dissector working pretty nicely (I had to install Visual Studio
> 6 on my PC, since I had updated to 2003 for a long time already...)
>
> One question remains:
>
> My dissector detects the protocol heuristically, establishes a
> conversation and hands all the "other" data to the RTP-dissector.
> All this is running pretty well.
>
> The content of the RTP-protocol is not yet supported by the RTP-
> dissector, how would I proceed to
>
> a.) enhance the RTP-dissector with a decoder for a specific payload-type
>
> and
>
> b.) how can I tell the RTP-dissector that it should use this specific
> payload-decoder when I call it from my dissector?
>
> Tobias
>
> > -----Urspr??ngliche Nachricht-----
> > Von: wireshark-dev-bounces@xxxxxxxxxxxxx
> > [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] Im Auftrag von
> > Jaap Keuter
> > Gesendet: Sonntag, 1. Oktober 2006 14:00
> > An: Developer support list for Wireshark
> > Betreff: Re: [Wireshark-dev] Plugin development on Windows... [heur]
> >
> > Hi Tobias,
> >
> > Take a look at the Wireshark Developer Guide, there is an
> > extensive description how to setup a development environment
> > on Windows. Just follow the steps and your underway.
> >
> > Thanx,
> > Jaap
> >
> > On Sun, 1 Oct 2006, Tobias Erichsen wrote:
> >
> > > Well I guess that coding a plugin (especially if the
> > protocol is not
> > > too
> > > complex) will be not that hard.
> > >
> > > What I find rather complex to set up the environement to be able to
> > > compile a plugin at all...
> > >
> > > Do I need to compile Wireshark first to be able to compile
> > plugins-dlls?
> > > What kind of additional libraries & include-files do I need
> > on top of
> > > the etheral-source to be able to compile my own-plugin dll?
> > >
> > > I would guess that quite a few more protocol
> > dissectors/plugins would
> > > be written if this process would be a bit easier.  I guess a lot of
> > > people are just repelled by how much they must do first, just to
> > > dissect a couple of octets and display their content in
> > legible form...
> > >
> > > Tobias
> > >
> > > > -----Urspr????ngliche Nachricht-----
> > > > Von: wireshark-dev-bounces@xxxxxxxxxxxxx
> > > > [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] Im Auftrag von Jaap
> > > > Keuter
> > > > Gesendet: Sonntag, 1. Oktober 2006 07:48
> > > > An: Developer support list for Wireshark
> > > > Betreff: Re: [Wireshark-dev] Question concerning some specific
> > > > protocol... [heur]
> > > >
> > > > Hi,
> > > >
> > > > Ahhh, now it's getting simple. Just create a heuristic
> > dissector for
> > > > your proprietary protocol. It DOES work by recognition of
> > (part of)
> > > > content.
> > > > For RTP you'll have to enable the preference "Try to decode RTP
> > > > outside of conversations". You can look in the RTP dissector how
> > > > it's done and use that same method in your own dissector.
> > > >
> > > > Thanx,
> > > > Jaap
> > > >
> > > > On Sat, 30 Sep 2006, Tobias Erichsen wrote:
> > > >
> > > > > The problem is that the port is not fix - the protocol(s)
> > > > may run on
> > > > > any ports.
> > > > >
> > > > > Are protocols that are recognized automatically by Wireshark
> > > > > always recognized by the port, not be the content of
> > the datagrams?
> > > > >
> > > > > I know that I can go on a sniffed packet and say "decode
> > > > as" selecting
> > > > > the protocol manually, but it would be cool to let wireshark/my
> > > > > protocol plugin find it out automatically if it finds any
> > > > packets that
> > > > > are encoded according to the proprietary protocol and as
> > > > soon as this
> > > > > fact ist established, all packets for this
> > udp-port-tuple will be
> > > > > decoded by my plugin, even though some of the packets won't
> > > > match the
> > > > > proprietary signature (in this case I would know that it is
> > > > RTP-data
> > > > > and decode accordingly)
> > > > >
> > > > > Tobias
> > > > >
> > > > > > -----Urspr????????ngliche Nachricht-----
> > > > > > Von: wireshark-dev-bounces@xxxxxxxxxxxxx
> > > > > > [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] Im
> > Auftrag von Jaap
> > > > > > Keuter
> > > > > > Gesendet: Samstag, 30. September 2006 17:53
> > > > > > An: Developer support list for Wireshark
> > > > > > Betreff: Re: [Wireshark-dev] Question concerning some
> > specific
> > > > > > protocol... [heur]
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > Well that is simple then. Register your proprietary dissector
> > > > > > for the UDP port. If it's your protocol dissect it, otherwise
> > > > > > hand it over to the RTP dissector.
> > > > > >
> > > > > > Thanx,
> > > > > > Jaap
> > > > > >
> > > > > > On Sat, 30 Sep 2006, Tobias Erichsen wrote:
> > > > > >
> > > > > > > Hi everyone,
> > > > > > >
> > > > > > > I have used Ethereal/Wireshark for some time now, and I
> > > > > > would like to
> > > > > > > contribute by developing a protocol-plugin for a
> > > > combination of a
> > > > > > > proprietary and an open protocol based on RTP...
> > > > > > >
> > > > > > > Both protocols run on the sample UDP port-pair tuple. The
> > > > > > proprietary
> > > > > > > protocol can be detected very easy, as it has an easy to
> > > > > > distinguish
> > > > > > > signature.  The RTP-based part is not, as RTP has
> > > > really no good
> > > > > > > recognition value.
> > > > > > >
> > > > > > > So how would I design such a dissector, that if I detect
> > > > > > the easy-to-
> > > > > > > recognize proprietary protocol on a UDP-port-tuple, that I
> > > > > > could then
> > > > > > > heuristically see that the other datagrams will be the
> > > > > > RTP-based ones
> > > > > > > and hand their decoding appropriate (writing again my own
> > > > > > > dissector for this specific RTP payload type)
> > > > > > >
> > > > > > > Best regards,
> > > > > > > Tobias
> > > > > > >
> > > > > > > PS.: I will be developing & testing the stuff on
> > > > Windows-platform,
> > > > > > > cause that's what I'm most familiar with ;-)
> > > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Wireshark-dev mailing list
> > > > > > Wireshark-dev@xxxxxxxxxxxxx
> > > > > > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> > > > > >
> > > > > _______________________________________________
> > > > > Wireshark-dev mailing list
> > > > > Wireshark-dev@xxxxxxxxxxxxx
> > > > > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> > > > >
> > > > >
> > > >
> > > > _______________________________________________
> > > > Wireshark-dev mailing list
> > > > Wireshark-dev@xxxxxxxxxxxxx
> > > > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> > > >
> > > _______________________________________________
> > > Wireshark-dev mailing list
> > > Wireshark-dev@xxxxxxxxxxxxx
> > > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> > >
> > >
> >
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>