This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissecting packets with a protocol running atop UDP

0

Wireshark semi-noob here.

I have two devices that talk to each other over 802.11, and I need to reverse engineer the protocol (we are emulating one of the devices, and don't have full docs).

The protocol is more or less ASCII strings over UDP over wireless, i. e. text strings, SQL queries, etc.

I am able to sniff packets that I know are part of the dialog between client and server. I can search captured packets for known strings and see them; I can search for hex values of IP addresses and find them.

I cannot (but would like to): - Filter by IP address - Filter by port number - Filter out data payload from header, etc.

Does wireshark even have a way to make this easy?

And (should be simple): How to log raw binary packet captures?

Thanks lots

Eric

asked 22 Apr '13, 08:28

EricFowler's gravatar image

EricFowler
1111
accept rate: 0%

edited 22 Apr '13, 18:09

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

2 Answers:

0

Does wireshark even have a way to make this easy?

There are several ways. Some are easier than others.

  • Write your own dissector in C (rather hard)
  • Write your own dissector in Lua (easier than in C)
  • Use the generic dissector: http://wsgd.free.fr/ (rather simple)

I'm not sure if the generic dissector will solve all your problems/requirements, but it is for sure easy to start with.

And (should be simple): How to log raw binary packet captures?

What do you mean by that?

Regards
Kurt

answered 22 Apr '13, 12:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 22 Apr '13, 13:33

0

I cannot (but would like to): - Filter by IP address - Filter by port number - Filter out data payload from header, etc.

What do you mean by "filter"?

"Filter by IP address" and "Filter by port number" sound as if they mean either "capture only packets to/from/both a particular IP address/port number" or "in a capture I have, show me only the packets to/from/both a particular IP address/port number". Both of those should be possible with Wireshark, e.g. a capture filter of host XXX.XXX.XXX.XXX to capture traffic to or from IP address XXX.XXX.XXX.XXX or udp port YYY to capture traffic to or from UDP port YYY, or a display filter of ip.addr == XXX.XXX.XXX.XXX to show traffic to or from IP address XXX.XXX.XXX.XXX or udp.port == YYY to show traffic to or from UDP port YYY.

You can also search for packets to or from a particular IP address or UDP port - "Find packet by display filter", in the "Find Packet" dialog, lets you search for packets that match an arbitrary display filter address, such as ip.addr == XXX.XXX.XXX.XXX or udp.port == YYY, just as that dialog lets you search by strings and hex data.

"Filter out data payload from header" is a completely different type of filtering; Wireshark shows complete packets, so there's no way to do that. What you can do, however, is, in the packet detail pane, not open up anything other than the bottommost tree item, which, for the packets you're interested in, will probably just be "Data", below "UDP", unless some other dissector happens to claim those packets.

You could also, as Kurt suggests, write your own dissector for that protocol.

answered 22 Apr '13, 19:17

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%