Wireshark · Ethereal-dev: Re: [Ethereal-dev] Layered protocol query

Ethereal-dev: Re: [Ethereal-dev] Layered protocol query

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Tue, 1 Apr 2003 10:55:53 -0800

On Tue, Apr 01, 2003 at 03:17:02PM +0100, Graham Bloice wrote:
> I'm starting a protocol dissector for DNP 3.0 over TCP/IP (see www.dnp.org).
> The protocol has 3 layers, a data link layer that provides low level framing
> and checksums, a transport layer for message assembly and disassembly over
> multiple data link frames, and finally an application layer that actually
> handles the data.
> 
> My question is which end do I approach the dissection from ?  I've already
> written a data link layer dissector, how do I then call the transport layer
> dissector

If link-layer frames are always handled by the same transport layer
protocol, you'd have the transport layer dissector register itself by
name using a "register_dissector()" call, and have the link-layer
dissector get a handle for that dissector with a "find_dissector()"
call and call the dissector through that handle with a
"call_dissector()" call.

> and also accumulate all the data over multiple data link frames
> for the upper layers ?

You can probably use the reassembly code for that.  To see other
dissectors that use reassembly code, look for "fragment_add" in the
source.

"fragment_add()" would be used if the link-layer frames have an IP-style
byte offset that's used for reassembly, with the first fragment having a
sequence number of 0.

"fragment_add_seq()" would be used if the link-layer frames have a
sequence number that's used for reassembly, with the first fragment
having a sequence number of 0.

Both of those require that there be an "identifier" field that's the
same for all fragments in a packet and that's not likely to be reused in
a way that could confuse reassembly.

"fragment_add_seq_check()" would be used instead of "fragment_add_seq()"
if the identifier field *is* likely to be reused.

"fragment_add_seq_next()" is used if there's no identifier, i.e. you
will (assuming no packets are dropped, and all are captured) see all the
fragments of a given packet, with no fragments from other packets
intermingled with the fragments of that packet.

You might probably want to make a preference setting to control whether
to do reassembly.

References:
- [Ethereal-dev] Layered protocol query
  - From: Graham Bloice

Prev by Date: Re: [Ethereal-dev] IEEE 802.11 protocol
Next by Date: Re: [Ethereal-dev] small update to the 802.11 dissector
Previous by thread: [Ethereal-dev] Layered protocol query
Next by thread: RE: [Ethereal-dev] Layered protocol query
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$