Ask Your Question
0

How to register a packet dissector for packets whose port are not pre-defined?

asked 2019-09-18 15:19:15 +0000

DarshanL gravatar image

Hi Team,

My protocol has two phase - 1. Control phase 2. Measurement phase.

The responder node would by default open a port at number ABC

[x]----------------->[ABC]

[x]<-----------------[ABC]

During the control phase, initiator asks the responder node to open a port at no. "Y"

[x]------------------>[Y]

[x]<------------------[Y]

Now I need to write a packet dissector to dissect this kinda packet. What i know is we can register a packet dissector in wireshark framework against a particular port number. So when wireshark finds a packet it looks for the dissector which has registered for that port number and call that dissector to dissect that packet.

So now if i register my dissector at port number ABC, then it can dissect control packets. however, my measurement phase packets wont be associated with port number ABC, my dissector wont be triggered to handle those packets.

So how can I register my dissector to dissect both the kinda packets?

Thanks and regards, Darshan L.

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2021-04-10 12:11:47 +0000

yurenchen gravatar image

updated 2021-04-10 14:34:56 +0000

thre .register_heuristic can do this job.

determine proto by custom logic, rather than port.

-- heuristic_checker: determine which dissector to use
local function heuristic_checker(buffer, pinfo, tree)
    -- check length
    length = buffer:len()
    if length < 4 then return false end

    -- check something..

    if true then
        -- use my dissector
        MyProto.dissector(buffer, pinfo, tree)
        return true
    else 
        return false
    end
end

-- registe to udp
MyProto:register_heuristic('udp', heuristic_checker)

ref:
https://mika-s.github.io/wireshark/lu...

edit flag offensive delete link more
0

answered 2019-09-21 18:40:28 +0000

BMWE gravatar image

You can use multiple ports for the dissector so that both ports (ABC and Y) would be registered.

taking from the example

local wtap_encap_table = DissectorTable.get("wtap_encap")
local udp_encap_table = DissectorTable.get("udp.port")

wtap_encap_table:add(wtap.USER15, p_multi)
wtap_encap_table:add(wtap.USER12, p_multi)
udp_encap_table:add(7555, p_multi)
udp_encap_table:add(7666, p_multi)
udp_encap_table:add(7777, p_multi)
edit flag offensive delete link more
0

answered 2019-09-18 16:29:45 +0000

Jaap gravatar image

This is not an uncommon scenario. Protocols like FTP and VoIP protocols have similar characteristics. For FTP its the opening of a data connection, after negotiation via the control channel on the well-known FTP server port. In VoIP there is the example of SIP, which uses SDP to negotiate the ports to which the audio data is to be sent with RTP.

The infrastructure in Wireshark to support this is the 'conversation'. It's defined by its endpoints (IP/proto/port tuple, with optional wildcards) and can dynamically associate a protocol dissector to such conversation, eg. based on what is negotiated in a control channel. The README.dissector file has more information on this and the FTP and SDP dissectors should be illustrative as well.

edit flag offensive delete link more

Comments

Hi, As suggested either have preference for the control protocol port(s) or do decode as to dissect the control protocol. Then in the control protocol dissection set up the conversation for the data protocol port(s) based on the i formation received in the control protocol. There is numerous examples in the code base and some info in the readme files on conversations.

Anders gravatar imageAnders ( 2021-04-11 11:00:13 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-09-18 15:19:15 +0000

Seen: 2,048 times

Last updated: Apr 10 '21