Wireshark · Wireshark-dev: Re: [Wireshark-dev] Wiresharlk plug-in

Wireshark-dev: Re: [Wireshark-dev] Wiresharlk plug-in

From: Richard van der Hoff <richardv@xxxxxxxxxxxxx>

Date: Wed, 18 Jun 2008 10:54:36 +0100

Oh for goodness sake.

Spamming the list, _and_ individual developers every day is not the wayto get an answer to your question. Now we're all just pissed off andless likely to answer.

If we're not answering it's because we don't know the answer, or yourquestion isn't clear. Probably both.

And please don't send me private mail looking for answers to questionswhich should be asked on this list.

I suggest you go away and think about your problem and try and solve ityourself before you pester us any further.




H F wrote:

Hi!!!

I'm writing a plugin for our program's own protocol, which encapsulatesa whole 'q931' package in user-user information element (look at theend of massage in red *),(look the packet 203 from the capture I sent )*

****In the first time ; I would just write a small program to check theright place to register my Protocol, and display :


                *Q.931*

               ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

               ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½..

               ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½.

                *User-user*

                                Information element: User-user

                                Length: 15

Protocol discriminator: User-specificprotocol


                                User information:

mytype protocol ( 0xFE)Texte:*B30C07498131323533357F0182*

 I register my protocol   with the table (q931.ie ) like this :

dissector_add(dissector table name, value in that table, mytype_handle)

====>dissector_add('q931.ie',0xFE,foo_handle)

*              * you think that itï¿½s the good table ?!!!*

*              * How can I register  my Protocol correctly?*

I think that h225 calls the Q931 dissector in packet-h323.c

/* H.323, Annex M1, Tunnelling of signalling protocols (QSIG) in H.323 */

dissector_add_string('h225.tp', '1.3.12.9', q931_handle))

*              *

Best regards

This function is called to register my protocol:

proto_reg_handoff_ipnet(void)

{

      static gboolean initialized = FALSE;

      if (!initialized) {

           q931_ie_handle = find_dissector('q931.ie');

           dissector_add('q931.ie',0xFE,foo_handle);

             /*0xFE is identifier of my protocol*/

            foo_handle = create_dissector_handle(dissect_foo, proto_foo);

            initialized = TRUE;

      }

};

**

*No. Time Source DestinationProtocol Info*

203 15.094231 10.24.30.13 10.24.30.15 Q.931CS: setup SETUP

*Frame 203 (210 bytes on wire, 210 bytes captured)*

    Arrival Time: Jun  2, 2008 17:57:50.481268000

    [Time delta from previous captured frame: 0.016456000 seconds]

    [Time delta from previous displayed frame: 15.094231000 seconds]

    [Time since reference or first frame: 15.094231000 seconds]

    Frame Number: 203

    Frame Length: 210 bytes

    Capture Length: 210 bytes

    [Frame is marked: False]

    [Protocols in frame: *eth:ip:tcp:q931:q931:h225:q931*]

    [Coloring Rule Name: TCP]

    [Coloring Rule String: tcp]

Ethernet II, Src: Ericsson_fb:c0:9c (00:01:ec:fb:c0:9c), Dst:Ericsson_52:f2:14 (00:80:37:52:f2:14)


    Destination: Ericsson_52:f2:14 (00:80:37:52:f2:14)

        Address: Ericsson_52:f2:14 (00:80:37:52:f2:14)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address(factory default)


    Source: Ericsson_fb:c0:9c (00:01:ec:fb:c0:9c)

        Address: Ericsson_fb:c0:9c (00:01:ec:fb:c0:9c)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address(factory default)


    Type: IP (0x0800)

*Internet Protocol*, Src: 10.24.30.13 (10.24.30.13), Dst: 10.24.30.15(10.24.30.15)


    Version: 4

    Header length: 20 bytes

Differentiated Services Field: 0xb8 (DSCP 0x2e: ExpeditedForwarding; ECN: 0x00)

1011 10.. = Differentiated Services Codepoint: ExpeditedForwarding (0x2e)


        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 196

    Identification: 0xf0fa (61690)

    Flags: 0x00

        0... = Reserved bit: Not set

        .0.. = Don't fragment: Not set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 64

    Protocol: TCP (0x06)

    Header checksum: 0x3836 [correct]

        [Good: True]

        [Bad : False]

    Source: 10.24.30.13 (10.24.30.13)

    Destination: 10.24.30.15 (10.24.30.15)

*Transmission Control Protocol*, Src Port : mxomss (1141), Dst Port :h323hostcall (1720), Seq: 1, Ack: 1, Len: 156


    Source port: mxomss (1141)

    Destination port: h323hostcall (1720)

    Sequence number: 1    (relative sequence number)

    [Next sequence number: 157    (relative sequence number)]

    Acknowledgement number: 1    (relative ack number)

    Header length: 20 bytes

    Flags: 0x18 (PSH, ACK)

        0... .... = Congestion Window Reduced (CWR): Not set

        .0.. .... = ECN-Echo: Not set

        ..0. .... = Urgent: Not set

        ...1 .... = Acknowledgment: Set

        .... 1... = Push: Set

        .... .0.. = Reset: Not set

        .... ..0. = Syn: Not set

        .... ...0 = Fin: Not set

    Window size: 5840

    Checksum: 0xc1ad [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

*TPKT, Version: 3, Length: 156*

    Version: 3

    Reserved: 0

    Length: 156

*Q.931*

    Protocol discriminator: Q.931

    Call reference value length: 2

    Call reference flag: Message sent from originating side

    Call reference value: 012A

    Message type: SETUP (0x05)

    Bearer capability

        Information element: Bearer capability

        Length: 3

        1... .... = Extension indicator: last octet

        .00. .... = Coding standard: ITU-T standardized coding (0x00)

...0 1000 = Information transfer capability: Unrestricteddigital information (0x08)


        1... .... = Extension indicator: last octet

        .00. .... = Transfer mode: Circuit mode (0x00)

        ...1 0000 = Information transfer rate: 64 kbit/s (0x10)

        1... .... = Extension indicator: last octet

...0 0101 = User information layer 1 protocol: RecommendationH.221 and H.242 (0x05)


    Called party number: '129'

        Information element: Called party number

        Length: 4

        .... 1001 = Numbering plan: Private numbering (0x09)

        .100 .... = Number type: Subscriber number (0x04)

        1... .... = Extension indicator: last octet

        Called party number digits: 129

    User-user

        Information element: User-user

        Length: 133

        Protocol discriminator: X.208 and X.209 coded user information

*_H.225.0 CS_*

      *H323-UserInformation*

           *h323-uu-pdu*

               *h323-message-body*: setup (0)

                setup

                    protocolIdentifier: 0.0.8.2250.0.2 (Version 2)

                    h245Address: ipAddress (0)

                        ipAddress

                            ip: 10.24.30.13 (10.24.30.13)

                            port: 2002

                    sourceInfo

                        .... ...0 mc: False

                        0... .... undefinedNode: False

                    destinationAddress: 1 item

                        Item 0

                            Item: dialedDigits (0)

                                dialedDigits: 129

                    .... 0... activeMC: False

                    conferenceID: 00000018-3e17-fb70-0008-467f00b63678

                    conferenceGoal: create (0)

                        create: NULL

                    callType: pointToPoint (0)

                        pointToPoint: NULL

                    sourceCallSignalAddress: ipAddress (0)

                        ipAddress

                            ip: 10.24.30.13 (10.24.30.13)

                            port: 1720

                    callIdentifier

                        guid: 00000018-3e17-fb70-0008-467f00b63678

                    0... .... mediaWaitForConnect: False

                    1... .... canOverlapSend: True

            0... .... h245Tunneling: False

            *tunnelledSignallingMessage*

                *tunnelledProtocolID*

                    id: tunnelledProtocolObjectID (0)

tunnelledProtocolObjectID: 1.3.12.9(SNMPv2-SMI::org.12.9)


                *messageContent: 1 item*

                    Item 0

                        Item: 46 octets

                        *Q.931*

                            Protocol discriminator: Q.931

                            Call reference value length: 2

Call reference flag: Message sent fromoriginating side


                            Call reference value: 0053

                            Message type: SETUP (0x05)

                            Bearer capability

                                Information element: Bearer capability

                                Length: 3

                                1... .... = Extension indicator: last octet

.00. .... = Coding standard: ITU-Tstandardized coding (0x00)

...0 0000 = Information transfercapability: Speech (0x00)


                                1... .... = Extension indicator: last octet

.00. .... = Transfer mode: Circuit mode(0x00)

...1 0000 = Information transfer rate:64 kbit/s (0x10)


                                1... .... = Extension indicator: last octet

...0 0011 = User information layer 1protocol: Recommendation G.711 A-law (0x03)


                            Channel identification

                                Information element: Channel identification

                                Length: 3

                                1... .... = Extension indicator: last octet

.0.. .... = Interface identifierpresent: False

..1. .... = Interface type: Primary rateinterface

.... 1... = Indicated channel isexclusive: Exclusive; only the indicated channel is acceptable


                                .... .0.. = D-channel indicator: False

.... ..01 = Information channelselection: Channel indicated in following octets (0x01)


                                1... .... = Extension indicator: last octet

.00. .... = Coding standard: ITU-Tstandardized coding (0x00)

...0 .... = Number/map: Channelindicated by number

.... 0011 = Element type: B-channelunits (0x03)


                                1... .... = Extension indicator: last octet

                                .000 0010 = Channel number: 2

Non-locking shift to codeset 5: Informationelements for national use


                            Unknown information element (0x31)

                                Information element: Unknown (0x31)

                                Length: 1

                                Data: 80

                            Called party number: '129'

                                Information element: Called party number

                                Length: 4

.... 1001 = Numbering plan: Privatenumbering (0x09)

.100 .... = Number type: Subscribernumber (0x04)


                                1... .... = Extension indicator: last octet

                                Called party number digits: 129

                            High-layer compatibility

Information element: High-layercompatibility


                                Length: 2

.00. .... = Coding standard: ITU-Tstandardized coding (0x00)

High layer characteristicsidentification: Telephony


*                            User-user*

                                Information element: User-user

                                Length: 15

Protocol discriminator: User-specificprotocol

User information:*FEB30C07498131323533357F0182*


* *

*(0xFE is identifier of own protocol)*

0000  00 80 37 52 f2 14 00 01 ec fb c0 9c 08 00 45 b8   ..7R..........E.

0010  00 c4 f0 fa 00 00 40 06 38 36 0a 18 1e 0d 0a 18   [email protected]......

0020  1e 0f 04 75 06 b8 22 40 11 02 00 48 c1 02 50 18   ...u..'@...H..P.

0030  16 d0 c1 ad 00 00 03 00 00 9c 08 02 01 2a 05 04   .............*..

0040  03 88 90 a5 70 04 c9 31 32 39 7e 00 85 05 20 d0   ....p..129~... .

0050  06 00 08 91 4a 00 02 00 0a 18 1e 0d 07 d2 00 00   ....J...........

0060  01 01 00 45 c0 00 00 00 18 3e 17 fb 70 00 08 46   ...E.....>..p..F

0070  7f 00 b6 36 78 00 cd 0c 00 00 07 00 0a 18 1e 0d   ...6x...........

0080  06 b8 11 00 00 00 00 18 3e 17 fb 70 00 08 46 7f   ........>..p..F.

0090  00 b6 36 78 01 00 01 80 10 88 01 00 35 00 03 2b   ..6x........5..+

00a0  0c 09 01 2e 08 02 00 53 05 04 03 80 90 a3 18 03   .......S........

00b0  a9 83 82 9d 31 01 80 70 04 c9 31 32 39 7d 02 91   ....1..p..129}..

00c0  81 7e 0f 00 *fe b3 0c 07 49 81 31 32 35 33 35 7f   .~......I.12535.*

*00d0  01 82      *

.

Best Regards



------------------------------------------------------------------------

Tous vos amis discutent sur Messenger, et vous ? Tï¿½lï¿½chargez Messenger,c'est gratuit ! <http://www.windowslive.fr/messenger/>



------------------------------------------------------------------------

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev



--
Richard van der Hoff <richardv@xxxxxxxxxxxxx>
Project Manager
Tel: +44 (0) 845 666 7778
http://www.mxtelecom.com

Follow-Ups:
- Re: [Wireshark-dev] Wiresharlk plug-in
  - From: H F

References:
- [Wireshark-dev] Wiresharlk plug-in
  - From: H F

Prev by Date: [Wireshark-dev] How to check whether a plugin is installed from inside a dissector ?
Next by Date: Re: [Wireshark-dev] Wiresharlk plug-in
Previous by thread: [Wireshark-dev] Wiresharlk plug-in
Next by thread: Re: [Wireshark-dev] Wiresharlk plug-in
Index(es):
- Date
- Thread