Wireshark · Ethereal-dev: [Ethereal-dev] Re: [Ethereal-users] Dissector and Port#

Ethereal-dev: [Ethereal-dev] Re: [Ethereal-users] Dissector and Port#

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Thu, 30 Jan 2003 20:54:18 -0800

On Thu, Jan 30, 2003 at 02:45:41PM -0500, Parks, Chauni wrote:
> Not sure if this is the right list to ask this question, but I will ask
> anyway.  I am in the process of writing a dissector

That means that ethereal-dev is the right list; I'm redirecting this to
that list.  Ethereal-dev is for users; ethereal-dev is for developers,
and if you're writing a dissector, you're a developer.

> and turning it into a
> plugin, using Linux 2.4.19 redHat. I am creating a dissector/plugin to
> dissect home-grown middleware. I am trying to crack open the data section of
> TCP, which contains middleware messages This middleware uses several
> different ports. How can I eliminate hard coding the port numbers and have
> the dissector capture all middle ware messages on all ports?

If there's a way for your dissector to look at a TCP segment and
determine whether it's a middleware message or not, you'd register your
dissector as a TCP heuristic dissector.

Your dissector would take the standard dissector arguments, but would
return a gboolean.  It would first look at the data in the TCP segment
to determine whether it's a middleware message or not and, if not,
return FALSE.  Note that it should, before looking at any data, make
sure it's present - if your middleware messages have, for example,
big-endian 0xdeadbeef at an offset of 12 from the beginning of the
message, your dissector should only check the 4 bytes starting at 12 if
"tvb_bytes_exist(tvb, 12, 4)" returns "true", so you'd do something like

	if (!tvb_bytes_exist(tvb, 12, 4) ||
	    tvb_get_ntohl(tvb, 12) != 0xdeadbeef)
		return FALSE;

so that if the packet doesn't *have* 4 bytes at an offset of 12, or if
it does but it's not big-endian 0xdeadbeef, it returns FALSE.

If the packet passes all the tests, you dissect it and then return TRUE.

To register the dissector with the TCP dissector as a heuristic
dissector, you'd do

	heur_dissector_add("tcp", dissect_foo, proto_foo);

where "dissect_foo" is your top-level dissector function and "proto_foo"
is the value returned by "proto_register_protocol()" for your protocol.

Prev by Date: Re: [Ethereal-dev] MSN Messenger Service Dissector
Next by Date: [Ethereal-dev] Patch for GTP dissector (flow labels)
Previous by thread: [Ethereal-dev] Re: [Ethereal-cvs] cvs commit: ethereal/gtk help_dlg.c
Next by thread: [Ethereal-dev] Patch for GTP dissector (flow labels)
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$