Ask Your Question

distinguish dissectors using same udp port

asked 2019-06-11 06:28:28 +0000

BMWE gravatar image

Hello all,

I have 2 dissectors using same udp port (7555).

How can I register and distinguish between those two simultaneously in wireshark? For one of them I knows that it udp length is for sure greater than of the other one. Each one of them has specific IP convention (i.e 1st one is 1.1.1XX.11, 2nd is 2.2XX.22.2)

Currently my association of the protocols to the udp is as follows

local p_multi = Proto("multi", "MultiProto");    
local wtap_encap_table = DissectorTable.get("wtap_encap")
local udp_encap_table = DissectorTable.get("udp.port")

wtap_encap_table:add(wtap.USER15, p_multi)
wtap_encap_table:add(wtap.USER12, p_multi)
udp_encap_table:add(7555, p_multi)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-06-11 14:15:52 +0000

Jaap gravatar image

Make them heuristic dissectors, that is dissectors which get UDP packets and then first determine if the protocol is theirs and only then dissect it.

edit flag offensive delete link more


Can you please elaborate more how to do it?

BMWE gravatar imageBMWE ( 2019-06-11 14:20:48 +0000 )edit

In the code tree, in the doc directory, there's the file README.heuristic which explains this in detail.

Jaap gravatar imageJaap ( 2019-06-11 15:51:16 +0000 )edit

@Jaap, I've implemented as in the dns example, (with my protocol conditions), however, when testing it not to fit the rules, wireshark still parses the protocol

BMWE gravatar imageBMWE ( 2019-06-13 05:56:13 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-06-11 06:28:28 +0000

Seen: 178 times

Last updated: Jun 11 '19