Ask Your Question
0

how to decode part of a message as IPv4 with a custom dissector?

asked 2017-12-05 21:17:28 +0000

allantse gravatar image

I am just learning to write custom dissectors. I have a packet with a custom header that I had to dissect so that I could create an IP header + IP payload. Is there a way to pass these raw data bytes to have wireshark decode it as a IPv4 protocol and add it to a tree in my custom dissector? I am trying to get it to display in wireshark like this:

[Frame]

[Ethernet header]

[IPv4 header]

[Custom header]

[Created IPv4header]

[Created IPv4payload]

edit retag flag offensive close merge delete

Comments

So what is the format of the packet on the network? Is the Ethernet type of the packet 0x0800 (for IPv4) or something for your custom protocol? If it's 0x0800, what is the protocol type in the IPv4 header - a standard value for a protocol running on top of IPv4, or a custom value for your custom protocol? And where is the IPv4 payload?

Guy Harris gravatar imageGuy Harris ( 2017-12-05 23:08:26 +0000 )edit

Thanks for the reply. The Ethernet type is the standard 0x0800 for IPv4. The protocol type in the IPv4 header is a custom value for the custom protocol. The original packet is like this: [Frame][Ethernet header][IPv4 header] [custom protocol] [payload]

What I am trying to do is insert a created IPv4 header (after I have dissected the custom protocol) between the custom protocol and payload, then pass the created IPv4 header and payload to be decoded by the IPv4 protocol.

So I think I would have to create a new tvb then use call_dissector to pass it along to the IPv4 dissector. What I am not sure is how to stitch together this new tvb with the created header+ original payload.

allantse gravatar imageallantse ( 2017-12-05 23:39:53 +0000 )edit

You cannot stitch them together - a dissector takes the whole tvb it gets, processes the header part and invokes sub-dissectors to handle the payload - no pointers to other buffers can be used. So you have to copy your created IPv4payload right after your created IPv4header into the newly created tvb from the original one, effectively creating a new packet for the ip (IPv4) dissector to handle.

sindy gravatar imagesindy ( 2017-12-06 06:52:36 +0000 )edit

So is the "Created IPv4 header" different from the actual IPv4 header? If so, in what ways is it different?

Guy Harris gravatar imageGuy Harris ( 2017-12-06 07:07:03 +0000 )edit

What I wrote above is relevant to your case if you actually create the IPv4 header using your Custom header dissector. If the octets of the second IP header are already present in the raw packet, following the Custom header, in correct format, then you don't need to create a second tvb at all - you merely invoke the ip dissector on the rest of the tvb which your Custom dissector has been given.

sindy gravatar imagesindy ( 2017-12-06 08:12:10 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-12-06 22:34:21 +0000

allantse gravatar image

updated 2017-12-07 08:01:47 +0000

grahamb gravatar image

create a new tvb with tvb_new_real_data, find the ip handle with find_dissector("ip"), then use call_dissector.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-12-05 21:17:28 +0000

Seen: 47 times

Last updated: Dec 07