Ask Your Question
0

How can I put data from two or more frames together in a custom Wireshark dissector?

asked 2020-12-01 07:59:51 +0000

Robin26689 gravatar image

updated 2020-12-02 02:44:10 +0000

cmaynard gravatar image

Hi,

I'm writing a Wireshark plugin dissector for IO-Linkdata. In some special cases I have to collect data over 2 or 3 frames until its complete. I read about the conversation but I don't think I can work with this solution because I don't have addresses. In my case, one frame is master data + device data. I also looked at https://www.wireshark.org/docs/wsdg_h..., but this tutorial didn't help. Maybe I'm too inexperienced in C or programming in general to understand it without help.

Best regards

Rob

edit retag flag offensive close merge delete

Comments

Rob, Just curious what interface you intended to use for capturing the traffic and status of the entire project?

Onstege gravatar imageOnstege ( 2023-12-12 10:42:08 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-12-01 20:47:09 +0000

Jaap gravatar image

Have a look at README.dissector section 2.7.2

edit flag offensive delete link more

Comments

yes i did. i tried to add it to my code and i could build it without errors but nothing happens. Maybe its on the wrong place or i have to make some changes. I also read 2.7.1 Using tcp_dissect_pdus() because i know how long my data will be and in which case i will receive data over severall frames. I also have a bit which is incremented as long as the data is transmitted. I just can't figure out (yet) how to make it work. I just want to collect the data until its complete and then print it to the info colum from the last frame.

Robin26689 gravatar imageRobin26689 ( 2020-12-02 07:01:59 +0000 )edit

Maybe if you describe your data a bit more, with the help of a link to a capture file, more specific advice can be offered.

grahamb gravatar imagegrahamb ( 2020-12-02 11:05:42 +0000 )edit

i think i found a solution for now but im not sure if it works in every case. My data:

  • 1.Frame: 0xf0 0x5b 0xd1 0x16 0x69 0x66 0x6d 0x20 0x65 0x6c
  • 2.Frame: 0xe1 0xb0 0x65 0x63 0x74 0x72 0x6f 0x6e 0x69 0x63
  • 3.Frame: 0xe2 0x80 0x20 0x67 0x6d 0x62 0x68 0xa7 0x00 0x00

The first two bytes are always from the master. The Mastercommand is the first byte. I have a Bitmask with: |r/w (7)| |communication channel (6,5)| |adress (4-0)| If i have adress 16 followed by adress 1 (0xe1) and adress 2 (oxe2) i know that these 3 frames belongs together. Then form the first frame the 3rd byte d for the command and 1 says it has the external length which is the following byte 0x16. So i know i will have 22 bytes of data. The first byte is the command the ...(more)

Robin26689 gravatar imageRobin26689 ( 2020-12-02 11:25:44 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-12-01 07:59:51 +0000

Seen: 771 times

Last updated: Dec 02 '20

Related questions

How do I get and display packet data information at a specific byte from the first byte?

How do I add "child item" to an item in the subtree?

How do I dissect multiple packets?

How do I use the fragment_add_seq_check function in UDP packet reassembly?

Is it possible to use reassembly on non-split packets?

How do I dissect packets if the dissection depends on information from earlier packets?

Little Endian for "Proto_Tree_Add_Bits" Function

How can I make my custom packet dissector distributable?

Wireshark 2.4.1 GTK Crash on long run

how to invert two bytes in lua script dissector ?