The use of serial to IP servers is prevalent in the SCADA world. These devices usually set up a single port per serial connection, generally in continuous blocks. The number of ports can range from 1 to 64 (possibly more but I haven't seen one yet). It would be useful to be able to set up a dissector override that targets a port range. Currently you have to set up each port manually and Wireshark forgets the settings when you shut it down. asked 12 May '11, 10:06  Graemem edited 12 May '11, 11:15  cmaynard ♦♦ |
3 Answers:
See Jeff's answer to the Request: Decode as - save and load settings question. Basically, "range" preferences can be used to do this for the dissectors in question. answered 12 May '11, 11:25  JeffMorriss ♦ edited 20 Dec '11, 06:53 cmaynard ♦♦ |
In the dialog "Decode as" select the protocol and click on Apply. Then click on the button "Show Current" and click on save. Wireshark will then remember these settings. Regards answered 11 Oct '12, 07:06  Kurt Knochner ♦ edited 11 Oct '12, 07:08 |
I have found a solution! The save User Specified Decodes has a bug. I am using 120 sockets in order to manage communications to 40 base stations. After about 20 minutes of manually setting a Decode As for each port I realised that I was seeing previously set ports. Scanning back through the capture file there were chunks of previously set decodes redirections not being applied. If you save more than around 60 entries it will overwrite a previous setting. But there is a workaround. The User Specified Decodes are kept in a text file in the current profile folder. See http://www.wireshark.org/docs/wsug-html-chunked/ChWindowsFolder.html for the location of the folder. The file called "decode-as-entries" contains lines looking like this for DNP3: "decode-as-entry: tcp.port,20031,(none),DNP 3.0" I then used a spread sheet to generate the 120 lines of decodes (just to make things fun they are not consequtive), saved it as a csv file, opened it in notepad and copied it into the decode-as-entries file. And it works; all 120 decode redirections are now correctly decoded, and Wireshark remembers the settings after a restart. Also as the decodes are kept in a text file it is easy to transfer them to another PC. Note: replace the '-'s with underscores. Thanks to all who replied, it really helped. answered 12 Oct '12, 01:27 Graemem Note that as of r44486, I modified the DNP3 dissector to act as a heuristic dissector so that you wouldn't need to use "Decode As" for DNP3 as it should all work automagically. This change is only in the 1.9 dev branch at the moment so you'll need to either build from source, or use a nightly build to see the effects. Feedback would be appreciated. (12 Oct '12, 01:36) grahamb ♦ grahamb I have tried 1.9.0 r45495 on a 32bit XP pro machine. I can confirm that it looks like it works. I did get some funny decodes so I checked the preferences. They went away when I checked "Protocols, TCP, Try heuristic sub-dissectors first:". One difference. I am using 1.8.2 r44520 and I get 55552 packets displayed (dnp3 and not tcp.analysis.retransmission), With the same file and filter on the 1.9.0 v45495 I get 56121 packets marked. When I get time I will try to work out what the difference is. (12 Oct '12, 02:36) Graemem |
Where can I find the "range" prefences for a dissector?
See the prefs_register_range_preference() function. For an example using that function, look at the Diameter dissector (epan/dissectors/packet-diameter.c).