Wireshark-dev: Re: [Wireshark-dev] Adding a protocol under ONC-RPC

From: Andrew Kleinerman <verixnbi@xxxxxxxxx>
Date: Thu, 23 Apr 2009 13:59:50 -0700
Thank you very much!  I appreciate the advice/clarifications, I'll dig
into packet-rwall :-)

Andrew

On Thu, Apr 23, 2009 at 1:47 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Apr 23, 2009, at 1:24 PM, Andrew Kleinerman wrote:
>
>> My current project is integrating a small protocol into Wireshark for
>> analysis and I feel a little out of my depth.  The protocol is sent
>> over TCP on a non-standard port and uses the Sun XDR RPC.
>
> Do you mean "use XDR" or "use RPC"?
>
> If you're just using XDR, take a look at the NDMP dissector (epan/
> dissectors/packet-ndmp.c); that's an example of a protocol using XDR
> *without* being based on ONC RPC.
>
> If you use RPC...
>
>>  I went
>> through the step-by-step guide of creating a basic dissector, and
>> Wireshark will recognize it as the new protocol.  However, my problem
>> is that I cannot call dissect_rpc or dissect_rpc_tcp from my dissector
>> (I'm assuming for some good reason) to dissect the RPC.
>
> ...then, in Soviet Wireshark, RPC dissector calls YOU!  (Sorry, I
> couldn't resist. :-))
>
> I.e., if your dissector uses ONC RPC, when your dissector registers
> its program number (with rpc_init_prog()) and its handlers for its
> procedures (with rpc_init_proc_table()), that tells the RPC dissector
> how to recognize your protocol; it will call the handlers for your
> procedures when it recognizes a call to or reply from one of them.
>
> See, for example, epan/dissectors/packet-rwall.c.
>
>> So I'm
>> guessing I have to make the RPC dissector properly see it on a
>> different port (is that right?).
>
> No.  The RPC dissector will handle that for you - it doesn't care what
> port the traffic uses, as the only ONC RPC-based protocol that
> *requires* a particular port number is the portmapper/rpcbind protocol
> (because it's the protocol that's used to find the particular port
> number/transport-layer address, on a particular server, that a
> particular RPC program uses).
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>