Wireshark-dev: Re: [Wireshark-dev] heuristic Dissector for Dummies
For example, which lines of code do I need to explain wireshark to
check these 4 conditions: Tom, How about something like this:
static gboolean dissect_PROTOABBREV(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { ...
if ( tvb_get_guint8(tvb, 0) != 0x42 ) return (FALSE);
if ( tvb_get_guint8(tvb, 1) < 0x20 || tvb_get_guint8(tvb, 1) > 0x33 ) return (FALSE);
3) third byte is a flag field, where the lower 4 bits always contain the value 0 if ( tvb_get_guint8(tvb, 2) & 0x0f ) return (FALSE);
if ( tvb_get_ntohs(tvb, 3) > 10000 ) return (FALSE);
/* Assume it’s your packet and do dissection */
return (TRUE); }
And don’t forget to register as a heuristic dissector, at least in the case of udp and tcp. For ip, you can’t simply register as a heuristic dissector though. For one thing, the ip header contains a protocol field, which determines the next dissector to be called. So, if you have a protocol with a unique IP protocol ID, then you can register with that ID as I’ve shown below. If that’s the case, then you should probably also change dissect_PROTOABBREV to return int instead of gboolean since the dissector will be a dual heuristic/normal dissector. If heuristics fail, still return 0, but if heuristics succeed, then return the number of bytes dissected by your protocol rather than simply returning TRUE.
void proto_reg_handoff_PROTOABBREV(void) { static int PROTOABBREV_inited = FALSE; dissector_handle_t PROTOABBREV_handle;
if ( !PROTOABBREV_inited ) { heur_dissector_add("udp", dissect_PROTOABBREV, proto_PROTOABBREV); heur_dissector_add("tcp", dissect_PROTOABBREV, proto_PROTOABBREV); PROTOABBREV_handle = new_create_dissector_handle(dissect_PROTOABBREV, proto_PROTOABBREV); dissector_add("ip.proto", IP_PROTO_PROTOABBREV, PROTOABBREV_handle); PROTOABBREV_inited = TRUE; } }
Good luck. - Chris
From:
wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On
Behalf Of Tom Stevens
Thank you very much for
your great explanation. Something i had known before, but thanks anyway. [snip] CONFIDENTIALITY NOTICE: The contents of this email are confidential and for the exclusive use of the intended recipient. If you receive this email in error, please delete it from your system immediately and notify us either by email, telephone or fax. You should not copy, forward, or otherwise disclose the content of the email. |
- Prev by Date: Re: [Wireshark-dev] REG:wireshark support for"x-oma-application:ulp.ua"?
- Next by Date: Re: [Wireshark-dev] heuristic Dissector for Dummies
- Previous by thread: Re: [Wireshark-dev] REG:wireshark support for"x-oma-application:ulp.ua"?
- Next by thread: Re: [Wireshark-dev] heuristic Dissector for Dummies
- Index(es):