> Where I dont care where the dest port is, only if the
> if I get any packet to or from the new 1 dynamic port
> allocated on my machine.
> ie: any packet from port "dyn_port" on my local
> machine to "anyport" on a remote machine
> should be a conversation.
I used a "fake" address. When my heuristic dissector is called it
checks it's destination and source port if it's in a conversation,
I ignore the second (the fake) address in the conversation.
Example:
static address fake_addr;
static int heur_init = FALSE;
static const char rtp_proto[] = "RTP";
void rtp_add_address( const unsigned char* ip_addr, int prt )
{
address src_addr;
conversation_t* pconv = ( conversation_t* ) NULL;
src_addr.type = AT_IPv4;
src_addr.len = 4;
src_addr.data = ip_addr;
/*
* The first time the function is called let the
* udp dissector know that we're interested in traffic
*/
if ( ! heur_init ) {
heur_dissector_add( "udp", dissect_rtp_heur );
heur_init = TRUE;
}
/*
* Check if the ip address an dport combination is not
* already registered
*/
pconv = find_conversation( &src_addr,
&fake_addr, /* fake */
PT_UDP,
prt,
0 ); /* fake */
/*
* If not, add
*/
if ( ! pconv ) {
conversation_new( &src_addr,
&fake_addr, /* fake */
PT_UDP,
(guint32) prt,
(guint32) 0, /* fake */
( void * ) rtp_proto );
}
}
static void rtp_init( void )
{
unsigned char* tmp_data;
int i;
// Create a fake adddress...
fake_addr.type = AT_IPv4;
fake_addr.len = 4;
tmp_data = malloc( fake_addr.len );
for ( i = 0; i < fake_addr.len; i++) {
tmp_data[i] = 0;
}
fake_addr.data = tmp_data;
}
gboolean
dissect_rtp_heur( tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree )
{
/* This is a heuristic dissector, which means we get all the
* tcp traffic not sent to a known dissector!
* So we first check if the frame is really meant for us.
*/
conversation_t* pconv;
if ( ( pconv = find_conversation( &pi.src,
&fake_addr, /* fake */
pi.ptype,
pi.srcport,
0 ) ) == NULL ) { /* fake port */
/*
* The source ip:port combination was not what we were
* looking for, check the destination
*/
if ( ( pconv = find_conversation( &pi.dst,
&fake_addr,
pi.ptype,
pi.destport, 0 ) ) == NULL ) {
return FALSE;
}
}
/*
* An RTP conversation always contains data
*/
if ( pconv->data == NULL )
return FALSE;
/*
* An RTP conversation data always contains "RTP"
*/
if ( strcmp( pconv->data, rtp_proto ) != 0 )
return FALSE;
dissect_rtp( tvb, pinfo, tree );
return TRUE;
}
The string I put in the data part of the conversation was necessary to
differentiate between two protocols that use conversations in the same
way, I had to search long before I found this to be the solution.
--
Andreas Sikkema
andreas.sikkema@xxxxxxxxxxx
"Standing barefoot in a river of clues, most people would
not get their toes wet." - Brian Kantor in a.s.r.
