Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Using SLL dissector output in own dissector?

Hello,

I've cobbled together my very first dissector today to decode an internal company protocol, identified by EtherType = 0x88aa.

We capture traffic in a Linux-derived computer unit using tcpdump and so the Wireshark trace includes "Linux cooked capture" of the first few octets.

I've worked around this and managed to get my dissector working on the "unicast to us (0)" packets just as I need:

0000   00 00 00 01 00 06 02 00 00 80 3b 30 00 00 88 aa
0010   01 3b 00 10 09 00 00 00 00 10 09 7b 00 00 05 00
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0030   00 00 22 00 00 30 00 00 00 00 00 00 00 00 a0 90
0040   3b 00 02 00 00 01 3b 00 02 00 00 80 3b 20 02 00
0050   00 80 3b 30

Frame 9078: 84 bytes on wire (672 bits), 84 bytes captured (672 bits)
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 1
    Link-layer address length: 6
    Source: 02:00:00:80:3b:30 (02:00:00:80:3b:30)
    Unused: 0000
    Protocol: Unknown (0x88aa)
Nokia EMB Protocol
    EMB header version: 0x01
    DMX message length: 34
    DMX computer: 0x00003000
    DMX family: OMU-0 (0x00000000)
    DMX message number: EPO_SYNC_MSG_S (0x000090a0)
    DMX phys_computer: GISU-1 (0x0000003b)

However I'd like to also decode the "sent by us (4)" packets too:

0000   00 04 00 01 00 06 02 00 00 80 73 30 00 00 88 aa
0010   02 00 00 80 00 30 02 00 00 80 73 30 88 aa 01 73
0020   00 d2 81 80 3b 20 02 63 86 68 00 00 05 00 00 00
0030   00 30 73 30 6b 06 00 00 00 80 00 00 e8 8d 73 00
0040   22 00 00 30 00 00 00 00 00 00 00 00 a0 90 73 00
0050   02 00 00 01 73 00 02 00 00 80 73 20 02 00 00 80
0060   73 30

Frame 9081: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
Linux cooked capture
    Packet type: Sent by us (4)
    Link-layer address type: 1
    Link-layer address length: 6
    Source: 02:00:00:80:73:30 (02:00:00:80:73:30)
    Unused: 0000
    Protocol: Unknown (0x88aa)
Nokia EMB Protocol
    EMB header version: 0x02

My dissector really needs to start at octet 2 as this is the payload I want to decode.

So is there any way, in my dissector, I can check the sll.pkttype value that the SLL dissector generates? If it's LINUX_SLL_OUTGOING (0x0004) then my dissector can handle the rest of the message, but my dissector can only see from octet 16, after the SLL dissector has had its fill.

Will continue researching.