Wireshark-dev: [Wireshark-dev] Remote Desktop Protocol Dissector

From: Marc-André Moreau <marcandre.moreau@xxxxxxxxx>
Date: Tue, 23 Mar 2010 20:01:50 -0400
Hi Wireshark developers,

I am a developer for FreeRDP, a free remote desktop protocol client. I started writing a dissector for the RDP protocol as there is currently none and such a tool would be immensely useful for the development of my program. There's something I have a problem with: RDP is made out of multiple protocols, with some of them already being implemented in Wireshark. One of them is T.125 (MCS). I tried using find_dissector("t125") and then call it on the RDP payload, and it works to some extent. The problem with that is that I need a way to know if 1) dissection has been successful with the T.125 dissector and 2) a way to dissect the "userData" field if it is present, after the T.125 dissector has been called, as it contains a payload defined in the RDP protocol. How should I get the offset of this userData field dissected by the MCS dissector, so that I can dissect it? I find that most of the Wireshark API is useful when you are "forward" dissecting, but not when you want to interpret the results from a previous dissection, unless I am mistaken. Any help is appreciated, thanks.