Wireshark-dev: [Wireshark-dev] conversation_add_proto_data

From: David Dugoujon <dav176fr@xxxxxxxx>
Date: Mon, 22 Jan 2007 09:57:59 -0800 (PST)
Dear All,

I am new to wireshark and I am trying to write a
dissector plugin for the freepastry binary protocol.
 
This protocol runs on top of TCP and, for some reason,
I need to keep a context for the TCP streams.
Indeed, FreePastry requires a specific header to be
sent over a newly established TCP connection

The pastry Stream header looks like this:
Pastry_magic_number (4 bytes)
...
AppId (4bytes)

If Pastry_magic_number =! 0x2740753A, I know that this
socket is not related to freepastry 
If AppId != 0, I know that the stream is related to a
tier 2 application that reused the freepastry socket
management facilies (I.e. I won't be able to dissect
the stream because it is application specific)

Then, the freepastry application stream is broken up
into "normal" messages (payload-len + payload)

Here is my problem:

I tried to use conversation_add_proto_data(...) to
save information about appId 

typedef struct _freepastry_conv_info_t {
        gboolean app_conv;
} freepastry_conv_info_t;

I first wanted to create a new conversation, but I
noticed that a conversation was already created by
wireshark (i.e. find_conversation(pinfo->fd->num,
&pinfo->src, &pinfo->dst, pinfo->ptype,
pinfo->srcport, pinfo->destport, 0) never returns a
NULL pointer)
Is it normal?

Next, when I save private data with
conversation_add_proto_data for the current
conversation, I notice that the tree information
related to freepastry for this message is not
displayed.

Here is the code I wrote to save context:

  /* Do we already have a state structure for this
conv*/
  freepastry_info =
conversation_get_proto_data(conversation,
proto_freepastry);
  if (!freepastry_info) {
    gboolean is_app_socket = FALSE;
    /* No. Attach that information to the
conversation, and add
    * it to the list of information structures.
    */
    freepastry_info =
se_alloc(sizeof(freepastry_conv_info_t));
    if (app_id != 0x0){
      is_app_socket = TRUE;
    }
    freepastry_info->app_conv = is_app_socket;
    conversation_add_proto_data(conversation,
proto_freepastry, freepastry_info);
  }

Here is the code I wrote to display message structure:

  if (tree) {
    proto_item *ti =  NULL;
    proto_tree *freepastry_tree = NULL;
    gint offset = 0;

    ti = proto_tree_add_item(tree, proto_freepastry,
tvb, 0, -1, FALSE);
    freepastry_tree = proto_item_add_subtree(ti,
ett_freepastry);

    proto_tree_add_item(freepastry_tree,
hf_freepastry_header_magic_number, tvb, offset, 4,
FALSE);
    offset += 4;
...
}

When I comment out the line 
conversation_add_proto_data(conversation,
proto_freepastry, freepastry_info); the protocol tree
for freepastry is correctly displayed.

Do you have any idea where the problem is? Have I
understood correctly the use of
conversation_add_proto_data()? Is there a better way
to do this?

Thanks,

David


 
____________________________________________________________________________________
Sucker-punch spam with award-winning protection. 
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html