This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How does a dissector report payload back to Wireshark?

0

If I'm writing a dissector for a protocol whose payload could contain a message in another protocol, how do I signal that fact to Wireshark? How do I let Wireshark know that my dissector hasn't fully consumed all the bytes in tvb?

From the docs:

"Every dissection starts with the Frame dissector which dissects the packet details of the capture file itself (e.g. timestamps). From there it passes the data on to the lowest-level data dissector, e.g. the Ethernet dissector for the Ethernet header. The payload is then passed on to the next dissector (e.g. IP) and so on."

asked 25 Nov '15, 05:23

mdgarrison's gravatar image

mdgarrison
6113
accept rate: 0%

edited 25 Nov '15, 06:13

One Answer:

1

You should call the sub-dissector directly. See README.dissector "Section 1.7 Calling other dissectors".

answered 25 Nov '15, 05:53

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks for the answer; I'm thinking more about how a dissector like IP works; it parses its header fields then returns a pointer to the remaining data back to Wireshark, who then invokes the TCP dissector. (Or does the IP dissector call a TCP sub-dissector automatically?)

Who invokes the TCP dissector -- Wireshark or the IP dissector?

TIA!

(25 Nov '15, 06:01) mdgarrison

I think it's the IP dissector.

The IPv4 (and v6) dissector calls ip_try_dissect(), which calls dissectors that have registered in the "ip.proto" table, using the protocol value in the ip header field as the index in the table.

The tcp dissector registers in that table with its proto value (6).

Dissector tables are discussed in README.dissector "Section 1.7.1. Dissector Tables".

(25 Nov '15, 06:22) grahamb ♦

Thanks, and that makes sense; the mechanism that's tripping me up is this: It seems to be the responsibility of a dissector to report back any 'undissected' bytes to Wireshark, so that when another dissector's called, its tvb points to the undissected data.

How do I (as a dissector) let Wireshark know that there's data remaining left over from my dissection?

(I appreciate the efforts to explain this, btw -- I'm having difficulty in formulating the right question!)

(25 Nov '15, 07:42) mdgarrison

Assuming you're writing a "new" style dissector (all dissectors should be "new" style, there's a big effort on to convert the old ones), i.e. your dissector registers with new_register_dissector() or via new_create_dissector_handle() then your "dissection" function should be of type new_dissector_t and return an int, which is the amount of data in the protocols PDU.

See the header for the typedef of new_dissector_t in epan/packet.h:

/*
 * Dissector that returns:
 *
 *  The amount of data in the protocol's PDU, if it was able to
 *  dissect all the data;
 *
 *  0, if the tvbuff doesn't contain a PDU for that protocol;
 *
 *  The negative of the amount of additional data needed, if
 *  we need more data (e.g., from subsequent TCP segments) to
 *  dissect the entire PDU.
 */
typedef int (*new_dissector_t)(tvbuff_t *, packet_info *, proto_tree *, void *);
(25 Nov '15, 08:01) grahamb ♦

When you want to call another dissector on the remaining bytes of a TVB then (usually) you'll want to create a new subset TVB that contains only the (so far undissected - because it's your protocol's payload) bytes. You can then pass that new TVB to the next dissector (so it sees only the thus-far-undissected bytes).

The API you want is something like tvb_new_subset() (sorry, it's too painful from here to look up the exact API).

(25 Nov '15, 08:13) JeffMorriss ♦