First time here? Check out the FAQ!

Ask Your Question
0

how to decode part of a message as IPv4 with a custom dissector?

asked Dec 5 '17

allantse gravatar image

I am just learning to write custom dissectors. I have a packet with a custom header that I had to dissect so that I could create an IP header + IP payload. Is there a way to pass these raw data bytes to have wireshark decode it as a IPv4 protocol and add it to a tree in my custom dissector? I am trying to get it to display in wireshark like this:

[Frame]

[Ethernet header]

[IPv4 header]

[Custom header]

[Created IPv4header]

[Created IPv4payload]

Preview: (hide)

Comments

So what is the format of the packet on the network? Is the Ethernet type of the packet 0x0800 (for IPv4) or something for your custom protocol? If it's 0x0800, what is the protocol type in the IPv4 header - a standard value for a protocol running on top of IPv4, or a custom value for your custom protocol? And where is the IPv4 payload?

Guy Harris gravatar imageGuy Harris ( Dec 5 '17 )

Thanks for the reply. The Ethernet type is the standard 0x0800 for IPv4. The protocol type in the IPv4 header is a custom value for the custom protocol. The original packet is like this: [Frame][Ethernet header][IPv4 header] [custom protocol] [payload]

What I am trying to do is insert a created IPv4 header (after I have dissected the custom protocol) between the custom protocol and payload, then pass the created IPv4 header and payload to be decoded by the IPv4 protocol.

So I think I would have to create a new tvb then use call_dissector to pass it along to the IPv4 dissector. What I am not sure is how to stitch together this new tvb with the created header+ original payload.

allantse gravatar imageallantse ( Dec 5 '17 )

You cannot stitch them together - a dissector takes the whole tvb it gets, processes the header part and invokes sub-dissectors to handle the payload - no pointers to other buffers can be used. So you have to copy your created IPv4payload right after your created IPv4header into the newly created tvb from the original one, effectively creating a new packet for the ip (IPv4) dissector to handle.

sindy gravatar imagesindy ( Dec 6 '17 )

So is the "Created IPv4 header" different from the actual IPv4 header? If so, in what ways is it different?

Guy Harris gravatar imageGuy Harris ( Dec 6 '17 )

What I wrote above is relevant to your case if you actually create the IPv4 header using your Custom header dissector. If the octets of the second IP header are already present in the raw packet, following the Custom header, in correct format, then you don't need to create a second tvb at all - you merely invoke the ip dissector on the rest of the tvb which your Custom dissector has been given.

sindy gravatar imagesindy ( Dec 6 '17 )

1 Answer

Sort by » oldest newest most voted
0

answered Dec 6 '17

allantse gravatar image

updated Dec 7 '17

grahamb gravatar image

create a new tvb with tvb_new_real_data, find the ip handle with find_dissector("ip"), then use call_dissector.

Preview: (hide)
link

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: Dec 5 '17

Seen: 2,027 times

Last updated: Dec 07 '17