This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissector for PORT 80

0

I need a dissector for tcp Port 80 and the first Data Byte like Hex 03. Only then. If is not is Hex03 the normaly dissector run.

I use Wireshark Version 1.6.5

Thanks Ralf

asked 25 Mar '12, 23:33

Ralf%20Kruppa's gravatar image

Ralf Kruppa
1111
accept rate: 0%

retagged 26 Mar '12, 05:37

bstn's gravatar image

bstn
3751415

One Answer:

1

Create your dissector as an heuristic dissector and check the TCP preference "Try heuristic sub-dissectors first"

answered 26 Mar '12, 04:17

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

I use an LUA Datei und at the moment i use this:

-- Zuweisung der TCP-Tabelle http_table = DissectorTable.get("http.port") -- Zuweisung der zu überwachenden Ports http_table:add(0080,MY_proto)

So i get all Packts of Port 80. I neet only the Packets where the first Byte of the TCP Date ist HEX 03.

Thanks Ralf

(26 Mar '12, 04:24) Ralf Kruppa

So you dissector should check the first byte it is given, and if it is 0x03 process the data. If it isn't then return FALSE indicating that your dissector didn't handle the message.

See README.heuristic in the doc subdirectory of the source tree for all the essential details.

(26 Mar '12, 09:38) grahamb ♦