Wireshark-dev: Re: [Wireshark-dev] GTP session plugin
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Fri, 23 Oct 2015 14:56:19 -0400
On 10/22/15 03:43, POZUELO Gloria (BCS/PSD) wrote:
Hi all,

I get in touch with you, since I would like to develop a new plugin for
GTP protocol (V1 and V2 versions). This functionality would consists of
looking for all messages that belongs to the same session.  For
instance: you select from 1 to N Create Session Request or Create PDP
Context and all the information about those sessions will be shown, this
way you could export those specific packets.
It sounds like what you're describing is similar to what another of 
other dissectors (like TCP, SCTP, and I think SCCP).  You would 
basically need to modify the GTP dissector to build up state which 
includes information about each GTP session (similar to the way the TCP 
dissector builds up state information about each TCP connection).
I can't really offer any specific advice other than to look at how other 
dissectors do it.  If you want a starting point, look at the 
"tcp.stream" field (which uniquely identifies a TCP connection that the 
TCP dissector has found).  Also you need to be aware that dissectors 
usually build up this state only on the first pass through the packets 
(when pinfo->fd->flags.visited is FALSE).