Wireshark-dev: Re: [Wireshark-dev] Is it possible to write a dissector for an asymmetrical prot

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Fri, 30 Mar 2007 14:47:50 -0700
On Fri, Mar 30, 2007 at 04:52:10PM -0400, Bob Doolittle wrote:

> 1 Although encapsulated in UDP, it doesn't use a
>    well-known port.  I'm OK with telling wireshark
>    to decode using the protocol specifically (right-click
>    on packet and select "Decode As"), and that's
>    working for me at a gross level.  Now I want to
>    decode the details...
> 2 The protocol is asymmetrical.  Packets sent by client
>    and server have different formats, only distinguished
>    by whether the sender is client or server.  There is
>    a common header that I'll want to share decoding for,
>    but after that the packet structures differ.
>
> Is it possible to write a dissector for such a protocol?

Yes, but the problem with using "Decode As" is that it assigns that port 
to your protocol bi-directionally.  The dissector then can't tell the 
difference in the sender and receiver.  Also the "Decode As" settings 
aren't saved between Wireshark sessions.

> Say I select a particular packet and choose "Decode As", and require 
> that the packet chosen be one sent by the server, for instance.  Now I 
> know what UDP port and IP address identify the server and ditto for 
> the client.  Can I now build separate proto trees depending on which 
> is sending the packet?

You need a way to tell which is the sender and which is the receiver 
port.  Do the common headers specify in any way if it's coming from the 
client or server?  Is the sender or receiver port number always higher 
than the other?  etc.  One method you can use is to set up a preference 
pane for your protocol and have fields to enter both direction's ports 
source ports you're expecting the protocol to be using.  These can be 
saved between sessions.  The doc/README.developer talks about setting up 
preferences.  You would then go through your common header dissection 
like normal and then when you reach the direction specific fields, put 
an if statement similar to the following:

	if(pinfo->srcport == <variable set by preferences>) {
		/* Decode traffic from port number 1 */
	} else {
		/* Decode traffic from port number 2 */
	}

Let us know if you need more help.


Steve