Ask Your Question

registering two protocol plugin sharing a same port

asked 2018-08-23 06:02:55 +0000

Dhanu Sh Alz gravatar image

updated 2018-08-23 06:03:39 +0000

I have two plugins ABC and XYZ, ABC protocol uses port 3100 and XYZ any port between (1024 and 9000)

dissector_add_uint("tcp.port", "3100", ABC_handle);
dissector_add_uint_range_with_preference("tcp.port", "1024-9000", XYZ_handle);

when the XYZ protocol uses the port 3100, the Wireshark dissects that packet as ABC, but it was supposed to dissect it as ZXY.

how can I handle this case?

Thanks in advance

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-08-23 07:20:41 +0000

Guy Harris gravatar image

You can't simultaneously register the ABC and XYZ dissector for port 3100, as there would be no way to determine whether it's protocol ABC or protocol XYZ. You can, however, register the ABC dissector for port 3100 and the XYZ dissector for ports 1024 through 3099 and 3101 through 9100:

dissector_add_uint("tcp.port", "3100", ABC_handle);
dissector_add_uint_range_with_preference("tcp.port", "1024-3099,3101-9000", XYZ_handle);
edit flag offensive delete link more


@Guy Harris Both protocols do have the first Byte as protocol identification, can't it be used for dissection between the protocols packets having the same port.

Dhanu Sh Alz gravatar imageDhanu Sh Alz ( 2018-08-23 07:25:37 +0000 )edit

It can but you need to use a "pre-dissector" which you register as a dissector for the full port range and let it invoke one of the two real dissectors depending on the conditions (if the port is 3100 and the first byte identifies one protocol, call the dissector for that protocol, otherwise call the dissector for the other protocol). Or you can merge the code of the two dissectors if that makes more sense. A single dissector plugin may register multiple protocol names.

sindy gravatar imagesindy ( 2018-08-23 20:44:31 +0000 )edit

@sindy How does the pre-dissector actually works, is there any example in the Wireshark i can look for?

Dhanu Sh Alz gravatar imageDhanu Sh Alz ( 2018-08-24 07:34:59 +0000 )edit

"pre-dissector" is not an official name, that's why I've put it into quotation marks. It is just a piece of code with the formal structure of a dissector which registers itself as a dissector to the tcp table, but its executive part (the dissector function) doesn't really handle the data, it just calls one or the other dissector depending on the conditions. As said, you may instead tell the XYZ dissector to invoke the ABC dissector and pass to it the whole tvb to do the real job if it finds out that the port is 3100 and the first byte in the tvb identifies protocol ABC. The ABC need not be registered to the dissection table indexed by TCP port numbers, it is enough that it is registered as such and the XYZ knows its handle.

sindy gravatar imagesindy ( 2018-08-26 13:24:28 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-08-23 06:02:55 +0000

Seen: 32 times

Last updated: Aug 23