Ask Your Question

# Revision history [back]

### How can I use conversations in custom dissectors

I have a custom dissector written in C that dissects a simple client-server protocol. The protocol though has one quirk: If an operation is successful it sets ACK flag, if not the ACK bit is not set. However if the bit is not set it looks exactly like a packet a client might send to a server. My idea was to use conversations to track if a packet is a response to a query.

From reading the README.dissector documentation I came up with the following:

C

    guint* conv_frames;
conversation_t* conv = find_conversation_pinfo(pinfo,0);

if (conv == NULL){
conversation_new(pinfo->num, &pinfo->src,
&pinfo->dst,
conversation_pt_to_endpoint_type(pinfo->ptype),
pinfo->srcport, pinfo->destport, 0);
}
conv_frames = (guint*) conversation_get_proto_data(conv, proto_rnvs);
if (conv_frames == NULL){
conv_frames = (guint*) wmem_alloc(wmem_file_scope(), sizeof(guint));
*conv_frames = 0;
conversation_add_proto_data(conv, proto_rnvs, conv_frames);
}

*conv_frames = *conv_frames + 1;

....

if (*conv_frames % 2 == 0) {
proto_item_append_text(ti, ", %s", val_to_str(flags, server_response, "Unknown (0x%02x)"));
col_add_fstr(pinfo->cinfo, COL_INFO, "%s", val_to_str(flags, server_response, "Unknown (0x%02x)"));
conversation_delete_proto_data(conv, proto_rnvs);
} else {
proto_item_append_text(ti, ", %s", val_to_str(flags, client_ops, "Unknown (0x%02x)"));
col_add_fstr(pinfo->cinfo, COL_INFO, "%s", val_to_str(flags, client_ops, "Unknown (0x%02x)"));
}




This seems to work when I run it in Tshark but in Wireshark as soon as I enter a filter it fails and misinterprets the packets. I suspect that this code only works on the first dissection run and then has some 'leftover' state. But i dont understand the conversation feature enough to tell what I am missing here. Can anobody help me out here?