Hi,
I'm writing my first protocol dissector (a plugin).
I have the basics up and running. However,
this protocol has a couple of unique issues:
1 Although encapsulated in UDP, it doesn't use a
well-known port. I'm OK with telling wireshark
to decode using the protocol specifically (right-click
on packet and select "Decode As"), and that's
working for me at a gross level. Now I want to
decode the details...
2 The protocol is asymmetrical. Packets sent by client
and server have different formats, only distinguished
by whether the sender is client or server. There is
a common header that I'll want to share decoding for,
but after that the packet structures differ.
Is it possible to write a dissector for such a protocol?
Say I select a particular packet and choose "Decode As",
and require that the packet chosen be one sent by the server,
for instance. Now I know what UDP port and IP address
identify the server and ditto for the client. Can I
now build separate proto trees depending on which is
sending the packet?
Is there some other approach someone can recommend?
Thanks for any and all tips!
-Bob