Ask Your Question
0

How to setup a totally new dissector for the data without UDP/TCP header

asked 2017-12-15 00:24:46 +0000

qutefu gravatar image

updated 2017-12-15 05:17:28 +0000

Guy Harris gravatar image

In the chapter 9.2.1 of developing guide book,

there is a disssector example 9.2. (Dissector Handoff)

void proto_reg_handoff_foo(void)
{

    static dissector_handle_t foo_handle;

    foo_handle = create_dissector_handle(dissect_foo, proto_foo);

    dissector_add_uint("udp.port", FOO_PORT, foo_handle);
}

The example always has a related basement, like UDP, TCP or so on. I would like to parse the whole enhanced packet block (data payload) from the first byte(bit) [of course, I have a header in the packet, to identify it from other interface's protocol ], how to wirte the code?

I try to follow plugins\grython code and the developing guide book, but all code are related with some conditions, like udp, or tcp, and just parse the data from a special port, I would like to get help for the new idea.

Thanks in advance.

edit retag flag offensive close merge delete

Comments

I would like to parse the whole enhanced packet block (data payload) from the first byte(bit) [of course, I have a header in the packet, to identify it from other interface's protocol ]

By "other interface's protocol" do you mean that these packets are coming from a particular network interface?

And do you mean that you want all packets for that interface to be handled by your protocol?

I try to follow plugins\grython code and the developing guide book, but all code are related with some conditions, like udp, or tcp

Or Ethernet/802.11/PPP/whatever? I.e., your protocol isn't running atop any other link-layer protocol, it is the link-layer protocol?

Guy Harris gravatar imageGuy Harris ( 2017-12-15 05:20:23 +0000 )edit

Yes, I need to parse it from the first byte of the whole payload in EPB (pcapng format file), I have some special bytes at the header of the packet, and special byte order for special communication proposal.

With lua embedded script, I have implemented it. I have received all tvb data which is the whole payload in EPB (pcapng format file), it is working fine.

Now, I need to use c code under plugins folder to handle it.. Thanks a lot.

qutefu gravatar imagequtefu ( 2017-12-15 07:30:05 +0000 )edit

So what LinkType is present in the Interface Description Block? (can't be '1', since you stated there are some special bytes at the header (I assume you mean 'at the beginning') of the packet).

Jaap gravatar imageJaap ( 2017-12-15 09:44:05 +0000 )edit

Since LinkType is 2 bytes, I set it to 999 in IDB now, since I know it should be available in my testing for time being.

qutefu gravatar imagequtefu ( 2017-12-15 16:52:36 +0000 )edit

(Reformatted so it shows up correctly.)

/* Reserved for private use. */
    { 147,      WTAP_ENCAP_USER0 },
    { 148,      WTAP_ENCAP_USER1 },
    { 149,      WTAP_ENCAP_USER2 },
    { 150,      WTAP_ENCAP_USER3 },
    { 151,      WTAP_ENCAP_USER4 },
    { 152,      WTAP_ENCAP_USER5 },
    { 153,      WTAP_ENCAP_USER6 },
    { 154,      WTAP_ENCAP_USER7 },
    { 155,      WTAP_ENCAP_USER8 },
    { 156,      WTAP_ENCAP_USER9 },
    { 157,      WTAP_ENCAP_USER10 },
    { 158,      WTAP_ENCAP_USER11 },
    { 159,      WTAP_ENCAP_USER12 },
    { 160,      WTAP_ENCAP_USER13 },
    { 161,      WTAP_ENCAP_USER14 },
    { 162,      WTAP_ENCAP_USER15 },

From Pcap-common.c Seems it maybe easy if I use linkType of user0~15 to solve it. right?

qutefu gravatar imagequtefu ( 2017-12-15 18:17:28 +0000 )edit
see more comments

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-12-15 18:16:05 +0000

Guy Harris gravatar image

updated 2017-12-15 18:55:45 +0000

grahamb gravatar image

What you should do is either:

  • get an official LINKTYPE_value assigned for your link-layer packet type, by sending a message to [email protected], use that rather than 999, add an official WTAP_ENCAP_ value for it in wiretap/wtap.h, modify wiretap/pcap-common.c to map the LINKTYPE_ value to the WTAP_ENCAP_ value, and have your dissector register in the wtap_encap dissector table with the WTAP_ENCAP_ value;

or

  • use one of the LINKTYPE_USERn values specifically reserved for private use (as per the list of LINKTYPE_ values, those are values in the range 147 through 162), open up the Preferences dialog in Wireshark, open up Protocols in that dialog, select DLT_USER, and edit the Encapsulations Table and arrange that the LINKTYPE_USERn/DLT_USERn value you used be dissected by your dissector.

The second of those is simpler, but doesn't guarantee that other users won't use the same LINKTYPE_USERn value for a different type of link-layer header.

edit flag offensive delete link more

Comments

Hi Hurris, thank you so much. I am going to use the first one. It should work fine locally now.

qutefu gravatar imagequtefu ( 2017-12-18 17:59:31 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2017-12-15 00:24:46 +0000

Seen: 1,390 times

Last updated: Dec 15 '17

Related questions

plugin entry missing

writing a modular dissector plugin [closed]

unable to add a plugin to wireshark

.dll has no "plugin_want_major" symbol

Plugin compiling problems

how to invert two bytes in lua script dissector ?

How do I get and display packet data information at a specific byte from the first byte?

why protocol is not showing as HTTP even though we sent http request ?

Adjusting Bit order and Endianess in LUA between Dissectors

How do I add "child item" to an item in the subtree?