Wireshark · Ethereal-dev: Re: [Ethereal-dev] help on dissector_add

["kig" <gkiss@xxxxxxxxxxx>]

Hello Dear Harris,

First, I thank you very much for your comment on my case earlier, however I 
still have no success with it yet. I had to get over some other things 
recently, but I must turn back to this problem again. Clearly I feel not 
enough experienced in ethereal to understand your description in the second 
part of your advice. Fake dissector with that horrible "snap - pid - oui" 
magic sounds too complicated to me. (though I tried to implement something 
you described there...)

However even if it is not the nicest solution, I don't understand why my 
idea is wrong with using the following line
       dissector_add( "llc.dsap", 0xaa, my_handle );
considering my sniffer result that is:

Frame 1 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Seabridg_df:00:f5 (00:0a:bc:df:00:f5), Dst: 
01:80:63:07:00:01 (01:80:63:07:00:01)
802.1Q Virtual LAN
   111. .... .... .... = Priority: 7
   ...0 .... .... .... = CFI: 0
   .... 0000 0000 1100 = ID: 12
   Length: 42
Logical-Link Control
   DSAP: SNAP (0xaa)
   IG Bit: Individual
   SSAP: SNAP (0xaa)
   CR Bit: Command
   Control field: U, func=UI (0x03)
       000. 00.. = Command: Unnumbered Information (0x00)
       .... ..11 = Frame type: Unnumbered frame (0x03)
   Organization Code: Unknown (0x080006)
   Protocol ID: 0x0088
Data (34 bytes)

I also tried
       dissector_add( "llc.proto", 0x0088, my_handle );
which you described to be theoretically wrong because of that mentioned 
snap - pid - oui problem.
Just as a trial the following also failed:
       dissector_add( "llc.proto_nt", 0x0088, my_handle );
Nevertheless, according to my source analysis "llc.dsap" should be a valid 
string.

I'd very much appreciate any comment on finding a (possibly simple) 
solution, (even if it is not as I originally wanted). Unfortunately official 
docs are dealing with "tcp.port" usage and nothing else... I feel somewhat 
lost with this a bit.


best regards,



----- Original Message ----- 
From: "Guy Harris" <gharris@xxxxxxxxx>
To: "Ethereal development" <ethereal-dev@xxxxxxxxxxxx>
Sent: Tuesday, January 10, 2006 8:40 PM
Subject: Re: [Ethereal-dev] help on dissector_add


> Kiss Gyula wrote:
> > Thanks for your value info for understanding the problem, however this 
> > still doens't work to me. I tried with "llc.dsap" now but nothing 
> > happened. I mean that my dissect_abcd() function is not called. (I have a 
> > capture to test with)
>
> Do any packets in that capture have 802.2 packets with a DSAP value equal 
> to the value you used in the dissector_add() call?
>
> If not, *that's* why nothing happened - there are no packets that have the 
> specified DSAP value.
>
> (Note: no dissector should *EVER* register for a DSAP value of 0xAA. Those 
> packets *MUST* be processed by the LLC dissector's SNAP code.)
>
> If your dissector has a particular SNAP PID value, such as 0x0088, 
> assigned to it, then that value *MUST* have been assigned within a 
> particular space of PID values - there isn't a single global space of PID 
> values, there are multiple spaces, each one identified by an IEEE OUI.
>
> The OUI of 00:00:00 is for a space of PIDs that's the same as the space of 
> Ethernet types, but 0x0088 isn't a valid Ethernet type (it's too small).
>
> For the other PID spaces, you would first need to register a "fake" 
> dissector for the OUI for that space; that dissector would then get a 
> dissector table name for the PIDs in its space, and your "abcd" dissector 
> would then register in *that* dissector table.
>
> See "epan/dissectors/packet-nt-oui.c" as an example of one of those "fake 
> dissectors" for a given SNAP OUI, and see 
> "epan/dissectors/packet-nt-sonmp.c" for an example of a dissector that 
> registers with a particular PID (two of them, actually) in the space for 
> that Nortel OUI.
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev