Wireshark-dev: Re: [Wireshark-dev] Dissecting a Protocol with multiple static TCP ports

From: Craig Bumpstead <cbumpste@xxxxxxxxxxxx>
Date: Mon, 26 Apr 2010 22:15:01 -0700 (PDT)
Chris,

So your saying to reassemble the packet then run the dissector again?
Is there a way that I can just specify the TCP Port range with just 2 port numbers?

Regards,
Craig



----- Original Message ----
From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Sent: Tue, 27 April, 2010 12:02:02 PM
Subject: Re: [Wireshark-dev] Dissecting a Protocol with multiple static TCP ports

Craig,

You probably need to take a look at tcp_dissect_pdus().  If you're lucky, it'll help you reassemble your TCP stream; if not, you might need to write your own TCP reassembly routines.  There are many dissectors that make use of it for reassembly and it's documented in section 2.7.1 of README.developer, so hopefully you find plenty of help and examples about it.  Assuming that's what you need of course.

- Chris
________________________________________
From: wireshark-dev-bounces@xxxxxxxxxxxxx [wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Craig Bumpstead [cbumpste@xxxxxxxxxxxx]
Sent: Monday, April 26, 2010 9:38 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Dissecting a Protocol with multiple static TCP     ports

Bill,

The packets that are not decoded are decoded as TCP packets. So I don't understand why it only decodes the first one. I must be making a mistake in the code.

Regards,
Craig




----- Original Message ----
From: Bill Meier <wmeier@xxxxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Sent: Tue, 27 April, 2010 11:10:14 AM
Subject: Re: [Wireshark-dev] Dissecting a Protocol with multiple static TCP ports

Craig Bumpstead wrote:
> Bill,
>
> Thanks for the quick response. That setting is off.
> The first and second packets are TCP port 4435 and 21016 which it decodes.
> However from that point on it doesn't decode packets with
> TCP port 4435.
>
> I loath posting my code, but obviously I am making a mistake somewhere.
>

I don't see anything obviously wrong with the code.

A question: What is actually shown in Wireshark for the packets not
decoded ?

Are they decoded as TCP ? As some other protocol ?



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe




___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe