Ask Your Question
0

How to register a packet dissector for packets whose port are not pre-defined?

asked 2019-09-18 15:19:15 +0000

DarshanL gravatar image

Hi Team,

My protocol has two phase - 1. Control phase 2. Measurement phase.

The responder node would by default open a port at number ABC

[x]----------------->[ABC]

[x]<-----------------[ABC]

During the control phase, initiator asks the responder node to open a port at no. "Y"

[x]------------------>[Y]

[x]<------------------[Y]

Now I need to write a packet dissector to dissect this kinda packet. What i know is we can register a packet dissector in wireshark framework against a particular port number. So when wireshark finds a packet it looks for the dissector which has registered for that port number and call that dissector to dissect that packet.

So now if i register my dissector at port number ABC, then it can dissect control packets. however, my measurement phase packets wont be associated with port number ABC, my dissector wont be triggered to handle those packets.

So how can I register my dissector to dissect both the kinda packets?

Thanks and regards, Darshan L.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-09-21 18:40:28 +0000

BMWE gravatar image

You can use multiple ports for the dissector so that both ports (ABC and Y) would be registered.

taking from the example

local wtap_encap_table = DissectorTable.get("wtap_encap")
local udp_encap_table = DissectorTable.get("udp.port")

wtap_encap_table:add(wtap.USER15, p_multi)
wtap_encap_table:add(wtap.USER12, p_multi)
udp_encap_table:add(7555, p_multi)
udp_encap_table:add(7666, p_multi)
udp_encap_table:add(7777, p_multi)
edit flag offensive delete link more
0

answered 2019-09-18 16:29:45 +0000

Jaap gravatar image

This is not an uncommon scenario. Protocols like FTP and VoIP protocols have similar characteristics. For FTP its the opening of a data connection, after negotiation via the control channel on the well-known FTP server port. In VoIP there is the example of SIP, which uses SDP to negotiate the ports to which the audio data is to be sent with RTP.

The infrastructure in Wireshark to support this is the 'conversation'. It's defined by its endpoints (IP/proto/port tuple, with optional wildcards) and can dynamically associate a protocol dissector to such conversation, eg. based on what is negotiated in a control channel. The README.dissector file has more information on this and the FTP and SDP dissectors should be illustrative as well.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-09-18 15:19:15 +0000

Seen: 302 times

Last updated: Sep 21 '19