Wireshark-dev: Re: [Wireshark-dev] [Wiresharkl-dev] Adding a dissector for "Analyze->Decode As"
Title: Message
> From: Guy
Harris <
guy@xxxxxxxxxxxx>
>
Date: Fri, 16 Feb 2007 16:03:41 -0800
>> On Feb 16, 2007, at 3:28 PM, Ravi Kondamuru wrote:
>
I am trying to write a dissector for a non-standard rpc protocol.
Writing a heuristic to automatically identify the protocol is
getting too complicated. So, I was wondering if I could add a
dissector that can be used when I select a connection and explictly
say Decode As. Is it possible to do that?
If your protocol runs directly on top of UDP or TCP, yes. (If it runs
on top of some other RPC protocol - i.e., if by "rpc protocol"
you mean a protocol that is implemented using some RPC
mechanism such as ONC RPC or DCE RPC - then, no, you can't, and you
*shouldn't*; there's already a mechanism for registering dissectors for
ONC RPC-based and DCE RPC-based protocols.)
If it is, any pointers to notes on how can it be done?
If your protocol runs on top of UDP, so that you'd want to use "Decode
As" to indicate that a particular UDP port should be used for your
protocol, then call
dissector_add_handle("udp.port", {the handle for your dissector});
If your protocol runs on top of TCP, so that you'd want to use "Decode
As" to indicate that a particular TCP port should be used for your
protocol, then call dissector_add_handle("tcp.port", {the handle for your dissector});
---
(Please excuse the email format.
I am cut-n-pasting to a PDA)
Is it possible to add both TCP and UDP
handles to a dissector? I have succesfully built an RPC
based dissector but it is only called for TCP packets. UDP packets go
undissected.
In my proto_reg_handoff I call the
canonical rpc_init_prog() and rpc_init_proc_table which appear to default to the
rpc_tcp_handle.
