Ask Your Question
0

How can I put data from two or more frames together in a custom Wireshark dissector?

asked 2020-12-01 07:59:51 +0000

Robin26689 gravatar image

updated 2020-12-02 02:44:10 +0000

cmaynard gravatar image

Hi,

I'm writing a Wireshark plugin dissector for IO-Linkdata. In some special cases I have to collect data over 2 or 3 frames until its complete. I read about the conversation but I don't think I can work with this solution because I don't have addresses. In my case, one frame is master data + device data. I also looked at https://www.wireshark.org/docs/wsdg_h..., but this tutorial didn't help. Maybe I'm too inexperienced in C or programming in general to understand it without help.

Best regards

Rob

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-12-01 20:47:09 +0000

Jaap gravatar image

Have a look at README.dissector section 2.7.2

edit flag offensive delete link more

Comments

yes i did. i tried to add it to my code and i could build it without errors but nothing happens. Maybe its on the wrong place or i have to make some changes. I also read 2.7.1 Using tcp_dissect_pdus() because i know how long my data will be and in which case i will receive data over severall frames. I also have a bit which is incremented as long as the data is transmitted. I just can't figure out (yet) how to make it work. I just want to collect the data until its complete and then print it to the info colum from the last frame.

Robin26689 gravatar imageRobin26689 ( 2020-12-02 07:01:59 +0000 )edit

Maybe if you describe your data a bit more, with the help of a link to a capture file, more specific advice can be offered.

grahamb gravatar imagegrahamb ( 2020-12-02 11:05:42 +0000 )edit

i think i found a solution for now but im not sure if it works in every case. My data:

  • 1.Frame: 0xf0 0x5b 0xd1 0x16 0x69 0x66 0x6d 0x20 0x65 0x6c
  • 2.Frame: 0xe1 0xb0 0x65 0x63 0x74 0x72 0x6f 0x6e 0x69 0x63
  • 3.Frame: 0xe2 0x80 0x20 0x67 0x6d 0x62 0x68 0xa7 0x00 0x00

The first two bytes are always from the master. The Mastercommand is the first byte. I have a Bitmask with: |r/w (7)| |communication channel (6,5)| |adress (4-0)| If i have adress 16 followed by adress 1 (0xe1) and adress 2 (oxe2) i know that these 3 frames belongs together. Then form the first frame the 3rd byte d for the command and 1 says it has the external length which is the following byte 0x16. So i know i will have 22 bytes of data. The first byte is the command the ...(more)

Robin26689 gravatar imageRobin26689 ( 2020-12-02 11:25:44 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-12-01 07:59:51 +0000

Seen: 470 times

Last updated: Dec 02 '20