Wireshark-dev: Re: [Wireshark-dev] Is it possible to write a dissector for an asymmetrical prot

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Fri, 30 Mar 2007 22:34:05 +0000
On 3/30/07, Bob Doolittle <Robert.Doolittle@xxxxxxx> wrote:
Hi,

I'm writing my first protocol dissector (a plugin).
I have the basics up and running.  However,
this protocol has a couple of unique issues:

1 Although encapsulated in UDP, it doesn't use a
   well-known port.  I'm OK with telling wireshark
   to decode using the protocol specifically (right-click
   on packet and select "Decode As"), and that's
   working for me at a gross level.  Now I want to
   decode the details...
2 The protocol is asymmetrical.  Packets sent by client
   and server have different formats, only distinguished
   by whether the sender is client or server.  There is
   a common header that I'll want to share decoding for,
   but after that the packet structures differ.


This common header, is it possible from this common header to tell
which is sent by the client and which is sent by the server?
I assume not.

So you probably need to add some sort of heuristics:
You can look at packet size,
you could use tvb_get_... functions to peek inside the body behind the
header itself.

Would it be possible in your protocol to heuristically determine if it
is sent froms erver or client based on frame length and payload?

Once you have found a packet which allowed you to determine without a
doubt whether it was from the client or from the server,
you could then store this information "if it from address:X port:Y
then it is from the client othervise it is from the server" in a
structure you attach to that partticular UDP conversation.

(see for example packet-pana.c for examples on how to use
conversations and attaching a structure of your choice to a
conversation)




Is it possible to write a dissector for such a protocol?

Say I select a particular packet and choose "Decode As",
and require that the packet chosen be one sent by the server,
for instance.  Now I know what UDP port and IP address
identify the server and ditto for the client.  Can I
now build separate proto trees depending on which is
sending the packet?

Is there some other approach someone can recommend?

Thanks for any and all tips!

-Bob

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev