Wireshark-dev: Re: [Wireshark-dev] Question concerning some specific protocol...
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Sun, 1 Oct 2006 07:48:14 +0200 (CEST)
Hi,

Ahhh, now it's getting simple. Just create a heuristic dissector for your
proprietary protocol. It DOES work by recognition of (part of) content.
For RTP you'll have to enable the preference "Try to decode RTP outside of
conversations". You can look in the RTP dissector how it's done and use
that same method in your own dissector.

Thanx,
Jaap

On Sat, 30 Sep 2006, Tobias Erichsen wrote:

> The problem is that the port is not fix - the protocol(s) may run on
> any ports.
>
> Are protocols that are recognized automatically by Wireshark always
> recognized by the port, not be the content of the datagrams?
>
> I know that I can go on a sniffed packet and say "decode as" selecting
> the protocol manually, but it would be cool to let wireshark/my protocol
> plugin find it out automatically if it finds any packets that are
> encoded according to the proprietary protocol and as soon as this fact
> ist established, all packets for this udp-port-tuple will be decoded
> by my plugin, even though some of the packets won't match the proprietary
> signature (in this case I would know that it is RTP-data and decode accordingly)
>
> Tobias
>
> > -----Urspr??ngliche Nachricht-----
> > Von: wireshark-dev-bounces@xxxxxxxxxxxxx
> > [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] Im Auftrag von
> > Jaap Keuter
> > Gesendet: Samstag, 30. September 2006 17:53
> > An: Developer support list for Wireshark
> > Betreff: Re: [Wireshark-dev] Question concerning some
> > specific protocol... [heur]
> >
> > Hi,
> >
> > Well that is simple then. Register your proprietary dissector
> > for the UDP port. If it's your protocol dissect it, otherwise
> > hand it over to the RTP dissector.
> >
> > Thanx,
> > Jaap
> >
> > On Sat, 30 Sep 2006, Tobias Erichsen wrote:
> >
> > > Hi everyone,
> > >
> > > I have used Ethereal/Wireshark for some time now, and I
> > would like to
> > > contribute by developing a protocol-plugin for a combination of a
> > > proprietary and an open protocol based on RTP...
> > >
> > > Both protocols run on the sample UDP port-pair tuple. The
> > proprietary
> > > protocol can be detected very easy, as it has an easy to
> > distinguish
> > > signature.  The RTP-based part is not, as RTP has really no good
> > > recognition value.
> > >
> > > So how would I design such a dissector, that if I detect
> > the easy-to-
> > > recognize proprietary protocol on a UDP-port-tuple, that I
> > could then
> > > heuristically see that the other datagrams will be the
> > RTP-based ones
> > > and hand their decoding appropriate (writing again my own dissector
> > > for this specific RTP payload type)
> > >
> > > Best regards,
> > > Tobias
> > >
> > > PS.: I will be developing & testing the stuff on Windows-platform,
> > > cause that's what I'm most familiar with ;-)
> > >
> >
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>