Using Dissectors and Subdissectors

0

Hi all,

I have to write a Protcol-Analyzer, basing on TCP. The first Level is a company-specific Protocol which encapsulates several other company-specific protocols.

The first Level I have already implemented and it works. That means. The Data from TCP (lets call it Proto_One) I can analyze and make them viewable in the Tree. But next Step is to make the Data from (lets call it Proto_Two and Proto_Three) available for next dissector. Here is my Code which is not completely working:

File: packet-proton.c

void proto_reg_handoff_protone(void)
{
    dissector_handle_t protone_handle;

    protone_handle = find_dissector("protone");
    dissector_add_uint("tcp.port", global_protone_port, protone_handle);

    data_handle = find_dissector("data");
}



File: packet-prottwo.c

void proto_reg_handoff_prottwo(void)
{
    dissector_handle_t prottwo_handle;

    prottwo_handle = find_dissector("protone");
    dissector_add("protone.protid", 4710, prottwo_handle);

    data_handle = find_dissector("data");
}



When I startup the WireShark on my Windows XP, I get the Error:
Runtime Error!
Program: C:\Programme\System\Wireshark\Wireshark.exe
This application has requestes the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

Best Regards
tjmaker



By the Way: I was trying to make the System debugable with my MSVS 2008 but it didn't get it work.

asked 25 Oct '11, 07:57

tjamaker's gravatar image

tjamaker
1113
accept rate: 0%

edited 26 Feb '12, 21:30

cmaynard's gravatar image

cmaynard ♦
3.2k51656
2 Answers:
oldestnewestmost voted
2

You'll have to create a sub dissector table in proto_register_protone(), like so:

register_dissector_table("protone.protid", ....

link

answered 25 Oct '11, 09:34

Jaap's gravatar image

Jaap ♦
6.0k568
accept rate: 11%

Thanks for the answer. No I got WireShark started. But the dissection still doesn't work.

I made these changes in packet-proton.c:

void proto_register_protone (void)
{
    ...

    static hf_register_info hf[] =
    {
        ...

        { &hf_protone_protId,
              { "Protocol Identifier", "protone.protId", 
                    FT_UINT16, BASE_HEX, VALS(protocolIdTypeNames), 
                    0x0, "Protocol Identifier", HFILL } },

        ...
    };

    /* subdissector code */
    subdissector_table = register_dissector_table("protone.protid",
        "Protocol Identifier", FT_UINT16, BASE_HEX);
    register_heur_dissector_list("protone", &heur_subdissector_list);

    ...
}

Do I really need the line with register_heur_dissector_list?


And these changes I made in packet-prottwo.c:

void proto_reg_handoff_prottwo(void)
{
    dissector_handle_t prottwo_handle;

    prottwo_handle = find_dissector("protone");
    dissector_add("protone.protid", 0x1266, prottwo_handle);

    data_handle = find_dissector("data");
}


Is there something else, I have to configure?
Is it working with 0x1266 or do I have to use 4710?

Best Regards
tjamaker

(25 Oct '11, 22:45) tjamaker

Do I really need the line with register_heur_dissector_list? Answer: No

prottwo_handle = find_dissector("protone"); should be find_dissector("prottwo");

(26 Oct '11, 04:47) Jaap ♦
0

OK, now I got the MSVC++ 2088 EE running to be able to debug the code. And now I can detect, that in my dissect_protone the call_dissector is called but it never appears in dissect_prottwo.

static void dissect_wagosp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
    ...

    if (length_remaining != 0) 
    {
        tvbuff_t *next_tvb;
        next_tvb = tvb_new_subset_remaining(tvb, offset);

        call_dissector(data_handle, next_tvb, pinfo, tree);
    }

    ...

}
link

answered 26 Oct '11, 02:40

tjamaker's gravatar image

tjamaker
1113
accept rate: 0%

This won't call your prottwo dissector. Use:

dissector_try_uint(subdissector_table, protid, next_tvb, pinfo, tree));

if protid == 0x1266 then it will be called.

(26 Oct '11, 04:49) Jaap ♦

THX, now it works !!!

(26 Oct '11, 04:55) tjamaker
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×469
×213
×9

Asked: 25 Oct '11, 07:57

Seen: 1,197 times

Last updated: 26 Feb '12, 21:30

Related questions

how to create sub dissectors

Wireshark built in dissector needs to be changed to a plugin??

dissector for core to core messages, ie shared memory messages

can we have both built in dissector and a plugin for the same protocol in wireshark?

dissector frame buffer is not getting refreshed

while building a dissector, Is it possible to declare an error on the upper box?

can i have two separate builds of wireshark running on my ubuntu?

problem with dissector_add function..

building rpm

Making a dissector that filters packets

about | faq | privacy | support | contact

powered by OSQA