Ask Your Question
0

How do I let the user specify for which UDP ports a dissector should be used?

asked 2021-09-21 22:16:30 +0000

vemson gravatar image

updated 2021-09-22 08:11:12 +0000

Guy Harris gravatar image

I created a dissector under the assumption that a given dissector is applied to every packet picked up by Wireshark.

As such I created an .ini file to define the ports on which the dissector should operate.

More specifically, the .ini file is read at Wireshark startup by the dissector, and the dissector in turn passes ports one at a time into the function

dissector_add_uint("udp.port",...).

This limits the ports the dissector operates on to those in the .ini file. When Wireshark runs the dissector doesn't even see packets not intended for it.

Is the .ini file the way this should be handled or is there another way to do this? My users need a way to change the ports the dissector processes for a given run of Wireshark.

edit retag flag offensive close merge delete

Comments

"My users need a way to change the ports the dissector processes for a given run of Wireshark."
Are the ports specific to the capture file or is it multiple runs against the same capture with different ports each run?

Chuckc gravatar imageChuckc ( 2021-09-22 14:34:52 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-09-22 05:38:43 +0000

Jaap gravatar image

The preferred way to do this is to register a so called dissector preference (pun intended ;)) with the dissection engine. This will automagically add your protocol to the list in the protocol tree in the preferences dialog, and allows your users to enter the ports your dissector should register on. When they do you first deregister from all old ports and register again to the new ports. This is a common theme, see section 2.6 in doc/README.dissector and useful convenience functions are provided for this, e.g. dissector_add_uint_with_preference() and dissector_add_for_decode_as_with_preference().

edit flag offensive delete link more
0

answered 2021-09-22 08:17:51 +0000

Guy Harris gravatar image

I created a dissector under the assumption that a given dissector is applied to every packet picked up by Wireshark.

Incorrect assumption. Link-layer dissectors are applied only if the packet's link-layer protocol type corresponds to the link-layer protocol for that dissector. All other dissectors are applied only if another dissector that sees the packet decides to hand the packet to the dissector in question.

In your case, with a protocol that runs atop UDP, a dissector is called only if the packet is a UDP packet and, for the source and destination port numbers in the UDP header, either:

  1. the dissector has explicitly registered one (or both) of those port numbers in the "udp.port" dissector table;
  2. the dissector is set up the way Jaap suggests, and the user configures it to be called for one of those port numbers;
  3. the dissector is a UDP heuristic dissector, and the packet hasn't been handed to another dissector before it was handed to the heuristic dissector to see if it looks like one of its packets.

So, for your case, Jaap's suggest, 2), is the correct answer.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-09-21 22:16:30 +0000

Seen: 633 times

Last updated: Sep 22 '21