Ask Your Question
0

TCP ACK Protocol display

asked 2024-10-11 09:17:14 +0000

ibraesch gravatar image

Hello all,

I've successfully managed to write a Lua dissector for my protocol built on top of TCP.
The dissector is working well, I can display the fields of my custom protocol when using Wireshark or TShark.
There's just one thing bothering me, I'd like to flag the ACK TCP packets as 'MY_TCP_PROTOCOL' also.
For the moment, the TCP packets without data are not flagged as 'MY_TCP_PROTOCOL' but only 'TCP', even though the dissector is added to the dissector table for tcp.port 12345.

What am I missing ?

Thank you for your replies, Igor

edit retag flag offensive close merge delete

Comments

packet-tcp.c is big to search for the exact check but if there is no data to decode why should the tcp dissector process the tcp.port table?

Chuckc gravatar imageChuckc ( 2024-10-11 10:16:43 +0000 )edit

Ok, it makes sense that the dissector does not get called when there's no data to dissect.
But is there a way to have those packets (ACK only no data) to be flagged as 'MY_CUSTOM_PROTOCOL' instead of simple TCP ?
My goal is is to be able to see how much traffic (in proportion) my protocol is creating. With the Protocol Hierarchy visualization, I have the packets containing data that are counted as MY_CUSTOM_PROTOCOL, but then all of the ACKs are counted under TCP directly. I would like to be able to see all under MY_CUSTOM_PROTOCOL (because fundamentally, those ACKs packets are coming from communication using MY_CUSTOM_PROTOCOL)

ibraesch gravatar imageibraesch ( 2024-10-11 11:59:55 +0000 )edit

https://gitlab.com/wireshark/wireshar... is someone else making the same request.

johnthacker gravatar imagejohnthacker ( 2024-10-11 12:57:13 +0000 )edit

You go in front of tcp by replacing it's entry in ip.proto table with your dissector then calling tcp as needed.

Chuckc gravatar imageChuckc ( 2024-10-11 13:03:18 +0000 )edit

No, you can't. How can Wireshark know, without calling your dissector, that those ACK packets are actually coming from communication with your protocol? Yes, your protocol might be set to the port, but dissectors can be set to a port and reject packets. They can accept some packets on a connection but not others. They can even have multiple PDUs in a TCP segment with different dissectors and protocols.

Dissectors can be set up by port, by heuristics, and via other methods (set up by other connections like in FTP and TFTP, or mechanisms like ALPN.) How, consistently and for all dissectors, can Wireshark know that the ACK is actually coming from your protocol? Changing the column for TCP segments with no data only some conversations would be worse than not doing it at all due to the inconsistency IMO.

johnthacker gravatar imagejohnthacker ( 2024-10-11 13:08:34 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-10-11 10:39:28 +0000

SYN-bit gravatar image

That is not how Wireshark works, Wireshark hands over data to the next dissector, based on tables and heuristics. If there is no data (as is the case with a bare ACK), there is no need to call the next dissector. If you want to display all packets in the TCP stream, don't filter on your protocol name, but filter on tcp.port==12345 or tcp.stream==X (if you want to only view a specific TCP stream containing your protocol.

edit flag offensive delete link more

Comments

My goal is is to be able to see how much traffic (in proportion) my protocol is creating. With the Protocol Hierarchy visualization, I have the packets containing data that are counted as MY_CUSTOM_PROTOCOL, but then all of the ACKs are counted under TCP directly. I would like to be able to see all under MY_CUSTOM_PROTOCOL (because fundamentally, those ACKs packets are coming from communication using MY_CUSTOM_PROTOCOL)

You can achieve this by filtering on the TCP port number of your protocol (12345) and then go to "Statistics -> Capture file properties". Below in the statistics part under "Displayed" you can see the percentage of packets/bytes matching the display filter (ie your protocol).

SYN-bit gravatar imageSYN-bit ( 2024-10-13 19:50:42 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-10-11 09:17:14 +0000

Seen: 100 times

Last updated: Oct 11