Wireshark-users: Re: [Wireshark-users] Detecting protocol headers
From: wsgd <wsgd@xxxxxxx>
Date: Mon, 09 Mar 2009 22:02:14 +0100
1) For this kind of question, use the dev mailing list 2) To find the functions, use any search tool ! All these functions are inside epan directory (or sub directory). 3) each protocol register itself to its parent protocol using dissector_add E.g, for ftp protocol ; dissector_add("tcp.port", TCP_PORT_FTPDATA, ftpdata_handle); dissector_add("tcp.port", TCP_PORT_FTP, ftp_handle); with #define TCP_PORT_FTPDATA 20 #define TCP_PORT_FTP 21 Olivier Rayne a écrit :
Thanks for your replies.I took a look at packet-udp.c and packet-ip.c, and am wondering where I can find the definitions of the following functions:call_dissector() dissector_add() dissector_try_heuristic() dissector_try_port() register_dissector_table() register_heur_dissector_list() and the following structures: dissector_table_t heur_dissector_list_t dissector_handle_tAlso, where are the UDP ports and list of heuristic dissectors tried by the UDP dissector defined? From what I can understand from packet-udp.c, the structures udp_dissector_table and heur_subdissector_list are first defined and registered in the file packet-udp.c itself. So how would the UDP dissector know which sub-dissector and UDP ports to try next in order to call the next dissector?And am I right to say that the protocol tree is built before the first packet is captured, when all the protocol dissectors are registered? In other words, as each dissector is registered, they are added to the protocol tree accordingly. So if I were to add a new dissector, say, Ethernet -> IP -> new_protocol -> TCP -> Payload, I would have to add this new protocol such that it extends from the IP branch? And this is done by calling the function dissect_new_protocol and using the corresponding argument "tree"? Also, it appears that dissector_add() would be called so that the IP -> new_protocol relationship can be established?Where can I find an example where dissect-protocol() is called?I also noticed that in packet-ip.c, the function dissector_try_port() is called. However, it appears that the "port" used here is the protocol field. Without seeing the definition for dissector_try_port(), I'm guessing that the second argument of this function is the search critieria, and for UDP (and presumably TCP), it's the source/destination ports, whereas for IP, it's the protocol field. Is this correct?Thank you and sorry for the long post and questions! --- On *Fri, 3/6/09, Guy Harris /<guy@xxxxxxxxxxxx>/* wrote: From: Guy Harris <guy@xxxxxxxxxxxx> Subject: Re: [Wireshark-users] Detecting protocol headers To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Cc: hjazz6@xxxxxxxxx Date: Friday, March 6, 2009, 6:55 PM On Mar 6, 2009, at 10:08 AM, Stephen Fisher wrote: > Take a look at epan/dissectors/packet-udp.c in the source code. In > particular, the decode_udp_ports() function. The UDP dissector follows > the general method for finding the next dissector to call. In the case > of UDP, it uses the port number to find which dissector(s) has > registered itself on that udp port and then calls it. If there is more > than one, it is expected that each one will do a heuristic check of > (usually) the first few bytes of the packet to determine if it should > accept the packet and if not, Wireshark gives it to the next dissector > registered on that port to see if it will accept it with a heuristic > check. In addition, the UDP dissector has a list of purely-heuristic dissectors; depending on the setting of a preference, those are either called, one after another, before the UDP dissector tries dissectors based on port numbers (so that a heuristic dissector can grab traffic even if one of the ports it's coming from or going to has a UDP dissector for it) or after the UDP dissector tries dissectors based on port numbers. The heuristic dissectors are called regardless of the port number; they also check (usually) the first few bytes of the packet to decide if it should accept it or not.------------------------------------------------------------------------ ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
-- Wireshark Generic Dissector http://wsgd.free.fr
- Follow-Ups:
- Re: [Wireshark-users] Detecting protocol headers
- From: Rayne
- [Wireshark-users] GTP headers
- From: Rayne
- Re: [Wireshark-users] Detecting protocol headers
- References:
- Re: [Wireshark-users] Detecting protocol headers
- From: Rayne
- Re: [Wireshark-users] Detecting protocol headers
- Prev by Date: Re: [Wireshark-users] How to compile Wireshark for 64-bit WindowsVista Home Premium and 64-bit Windows 7 beta
- Next by Date: Re: [Wireshark-users] How to identify session setup / confirmation
- Previous by thread: Re: [Wireshark-users] Detecting protocol headers
- Next by thread: Re: [Wireshark-users] Detecting protocol headers
- Index(es):