 | 1 | initial version |
Am I getting it right that I need to write this socks_udp_dissector myself and there is no available implementation?
No, there is an implementation. What is supposed to happen is when the Socks5 over TCP packets in frame 12 and 14 are decoded, they set up a conversation instructing Wireshark to use the socks_udp_dissector (which exists and works) to handle UDP datagrams from the indicated host and port. That isn't quite working, because it's not using the correct port. (The Socks messages indicate that the UDP will be on a different host and port, but it's using the existing host. Also it's not handling the wildcarded port (0) correctly.)
If that worked, then the socks_udp_dissector would dissect the packets and try to hand them off as though they came in from the forwarded port indicated in the Socks header, 443. That is the part that you would have to write if you wanted dissector - right now it's would be handed to the data dissector because it's just a string you put there.
You can't just assign port 5000 on UDP to the socks UDP dissector, because it depends on the conversation being set up from the standard socks over TCP dissector.
