Wireshark-dev: Re: [Wireshark-dev] [Wiresharkl-dev] Adding a dissector for "Analyze->Decode As"

Date Prev · Date Next · Thread Prev · Thread Next
From: "Bryan Miller" <millerb@xxxxxxx>
Date: Mon, 30 Apr 2007 16:33:45 -0600
Title: Message
> From: Guy Harris <guy@xxxxxxxxxxxx>
> Date: Fri, 16 Feb 2007 16:03:41 -0800
>
> On Feb 16, 2007, at 3:28 PM, Ravi Kondamuru wrote:
>
I am trying to write a dissector for a non-standard rpc protocol.
Writing a heuristic to automatically identify the protocol is getting too complicated. So, I was wondering if I could add a dissector that can be used when I select a connection and explictly say Decode As.
Is it possible to do that?

 
 
If your protocol runs directly on top of UDP or TCP, yes. (If it runs on top of some other RPC protocol - i.e., if by "rpc protocol" 
you mean a protocol that is implemented using some RPC mechanism such as ONC RPC or DCE RPC - then, no, you can't, and you *shouldn't*; there's already a mechanism for registering dissectors for ONC RPC-based and DCE RPC-based protocols.)
 

If it is, any pointers to notes on how can it be done?

 
 
If your protocol runs on top of UDP, so that you'd want to use "Decode As" to indicate that a particular UDP port should be used for your protocol, then call
	dissector_add_handle("udp.port", {the handle for your dissector});

If your protocol runs on top of TCP, so that you'd want to use "Decode As" to indicate that a particular TCP port should be used for your protocol, then call
	dissector_add_handle("tcp.port", {the handle for your dissector});



---

(Please excuse the email format.  I am cut-n-pasting to a PDA)

Is it possible to add both TCP and UDP handles to a dissector?  I have succesfully built an RPC based dissector but it is only called for TCP packets.  UDP packets go undissected.

In my proto_reg_handoff I call the canonical rpc_init_prog() and rpc_init_proc_table which appear to default to the rpc_tcp_handle.