Hi all,
I'm new to wireshark dissector development, and am looking for some
general tips and pointers to helpful docs or example code for a protocol
dissector I'm writing.
The (application-layer) protocol I want to dissect does not describe a
single, pre-defined port for communication but has a telltale handshake
procedure that can be used to determine the beginning of that protocol's
communication. It is my understanding that under these circumstances, I
would need to write a heuristic dissector in order to examine all
incoming packets for this handshake.
What I want to know is how to verify a multi-message handshake keep
track of the protocol's "connection" once the handshake has been
complete. I know that Wireshark can group collected packets into
conversations based on a criteria, but I'm at a loss for how to go about
using conversations in my dissector-- how to create conversations, how
dissectors sequentially read packets from a conversation while
maintaining persistent data about the conversation, etc. Can someone
help me out in this regard?
Thanks in advance,
Qifan Xi