Wireshark · Ethereal-dev: RE: [Ethereal-dev] ethereal and src/dest port

["Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>]

I assume that what you mean to say is that you want Ethereal to decode
some particular xyz protocol, which may be running over a udp or tcp
port in the range of 50000-60000.  If so, then here's what I did to
solve a similar problem for a given xyz protocol built on top of udp:

1) Add a port preference and range (not required, but could be useful):
#include "prefs.h"
static unsigned int xyz_base_port = 50000;
static unsigned int xyz_port_range = 10001;
void
proto_register_xyz(void)
{
    module_t *xyz_module;
    ...
    xyz_module = prefs_register_protocol(proto_xyz,
proto_reg_handoff_xyz);

    prefs_register_uint_preference(xyz_module, "base_port",
        "XYZ UDP base port",
        "Set the UDP base port for XYZ (Default port is 50000)",
        10, &xyz_base_port);
    prefs_register_uint_preference(xyz_module, "port_range",
        "XYZ UDP port range",
        "Set the range of UDP ports for XYZ (Default range is 10001)",
        10, &xyz_port_range);
    ...
} /* proto_register_xyz() */


2) Register your dissector as a heuristic dissector:
void
proto_reg_handoff_xyz(void)
{
    static int xyz_prefs_initialized = FALSE;

    if ( !xyz_prefs_initialized )
    {
        heur_dissector_add("udp", dissect_xyz, proto_xyz);
        xyz_prefs_initialized = TRUE;
    }

} /* proto_reg_handoff_xyz() */


3) Change the dissector code to accommodate the requirements of a
heuristic dissector:
#define PORT_RANGE(port,range)      \
    (((pinfo->srcport >= (port)) && (pinfo->srcport < ((port)+(range))))
|| \
    ((pinfo->destport >= (port)) && (pinfo->destport <
((port)+(range)))))

static gboolean
dissect_xyz(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
    if ( !PORT_RANGE(xyz_base_port, xyz_port_range) )
    {
        /* Check other criteria here, if applicable */
        return (FALSE);
    }

    pinfo->current_proto = "XYZ";
    ...
    return (TRUE);
} /* dissect_xyz() */


I think that should be it.  If I've left anything out, check the
README.developer.
 
Regards,
Chris


-----Original Message-----
From: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx] On Behalf Of Glenn D Blanford
Jr
Sent: Thursday, March 24, 2005 8:37 PM
To: ethereal-dev@xxxxxxxxxxxx
Subject: [Ethereal-dev] ethereal and src/dest port

Does anyone know how to force Ethereal to choose a specific port
or port order?
Specifically I want to decode particular ports in the 50000-60000 range
(for a private network application)
but dont know whether they will be src or dest.

The peer will usually have a smaller port number like 1200 or 6000 ish
so the port hash always fails me (if the other port corresponds to
a somewhat-well-known port (1024-44152?)).

The "decode As" would work but I want to do it permanently and for a
range of
ports.  I guess I am looking for a way to reverse the port search order
in
the hash.
Has anyone worked with this.
I would be grateful for your help.
Thank you,
Glenn Blanford
Lucent




_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev

-----------------------------------------
This email may contain confidential and privileged material for the sole
use of the intended recipient(s). Any review, use, retention, distribution
or disclosure by others is strictly prohibited. If you are not the intended
recipient (or authorized to receive for the recipient), please contact the
sender by reply email and delete all copies of this message. Also, email is
susceptible to data corruption, interception, tampering, unauthorized
amendment and viruses. We only send and receive emails on the basis that we
are not liable for any such corruption, interception, tampering, amendment
or viruses or any consequence thereof.