Ask Your Question
0

How do I only dissect packets within a range of IP addresses but any port?

asked 2019-01-04 10:19:32 +0000

JCAMP gravatar image

I'd like to dissect UDP packets whose destination IP address is within a range of IP addresses. I seem to be able to have my dissector working on a particular port using dissector_add_uint("udp.port", PORT, pro_handle) but I'd like to dissect UDP packets to any port, but with a particular IP address.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-01-04 21:47:34 +0000

cmaynard gravatar image

I think what you'll need to do is to register your dissector a heuristic dissector. This basically means that your dissector will be handed every UDP packet that hasn't been claimed by another dissector [NOTE]. Your dissector will have to heuristically determine whether the packet is actually intended for your dissector or not and dissect it if it is or reject it if it isn't so that another dissector gets a chance to dissect it.

Refer to doc/README.heuristic as well as the many built-in Wireshark dissectors for examples on how to use this. One rather simple one is packet-wol.c.

[Note] Unless the UDP Try heuristic sub-dissectors first option is selected, in which case your dissector will get a chance to claim it before any other registered dissectors, although it's not entirely clear what the heuristic order will be, so it's possible that another heuristic dissector could still claim it, in which case heuristics need to be improved by the dissector that incorrectly claimed it or that dissector may need to be disabled altogether in order for your dissector to get a chance to claim the packet.

edit flag offensive delete link more

Comments

Thank you. Do you know how to get the destination IP address from the packet within the dissector? I've tried many approaches that other dissectors use but can't get any of them to work. The IP address in an integer form is preferred.

JCAMP gravatar imageJCAMP ( 2019-01-07 15:31:00 +0000 )edit

Please ask this in a new question. Asking additional questions as comments in other questions means these questions can get buried and be harder for others to find. It also isn't relevant to the original question asked and answered and which can be accepted if it has indeed answered your question. That way, others know as well, both in the case of folks looking to help answer questions and those looking for answers to the same or similar questions themselves.

cmaynard gravatar imagecmaynard ( 2019-01-07 15:49:37 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-01-04 10:19:32 +0000

Seen: 638 times

Last updated: Jan 04 '19

Related questions

lua dissector ip address subnet

How to dissect packets whose destination IP lies within a range of IP addresses

how to invert two bytes in lua script dissector ?

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

How do I get and display packet data information at a specific byte from the first byte?

why protocol is not showing as HTTP even though we sent http request ?

Adjusting Bit order and Endianess in LUA between Dissectors

How do I add "child item" to an item in the subtree?

Localhost capturing

PRP Dissector and FCS

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2