Wireshark-dev: Re: [Wireshark-dev] Fwd: new dissector for IBM Communication Tools
From: Toralf Förster <toralf.foerster@xxxxxx>
Date: Mon, 25 Sep 2006 11:10:12 +0200
Hello,

I incorporated the suggested changes and added the forward reference
of 3 functions as seen in the developer guide.

The current version of the IBM ICT dissector and and some sample packets
are attached onto this mail.

Thanks for any further comment to my first try.

> Toralf,
>
> Please also change the // comments to /* ones.
>
> Please make it hauristic and test if it looks like ICT and return TRUE
> if it does and is dissected or FALSE if it doesnt look like this
> protocol and the packet should be given to some other dissector
> instead.
>
> Since this protocol appears to be ASCII based a simple enough
> heuristic could probably be to just check that the first 4-8 bytes of
> the packet are all ASCII characters or something.
>
>
> Do you have an example capture for this protocol?


-- 
MfG/Sincerely
Toralf Förster
/* packet-ict.c
 * Routines for IBM Communication Tools packet dissection
 * Copyright 2006, Toralf Förster <toralf.foerster@xxxxxx>
 *
 * Wireshark - Network traffic analyzer
 * By Gerald Combs <gerald@xxxxxxxxxxxxx>
 * Copyright 1998 Gerald Combs
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 */

#ifdef HAVE_CONFIG_H
# include "config.h"
#endif

#include <epan/packet.h>
#include <epan/strutil.h>

/* forward reference */
void proto_register_ict();
void proto_register_ict();
void dissect_ict(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree);

static int proto_ict = -1;
static int hf_ict_string = -1;

static gint ett_ict = -1;

/* This dissector works for UDP packets of the IBM Communication Tools  */
#define ICT_PORT 1510

/* we have an UDP packet with a simple string as a payload like :
 * "email adress>:0:123:Hamburg:Hamburg:12345 Germany:12345:DE:"
 */

#define ICT_FIELDS 8
static const char *fields[ICT_FIELDS] = {
	"Email",
	"Unknown",
	"Counter",
	"Location",
	"City",
	"Address",
	"Postal Code",
	"Notes Domain"
};

static void
dissect_ict(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
  proto_tree	*ict_tree;
  proto_item	*ti;

  gint		offset = 0;
  const guchar	*line;
  gint		next_offset;
  int		linelen;
  int		len;
  int		i;

  if (check_col(pinfo->cinfo, COL_PROTOCOL))
    col_set_str(pinfo->cinfo, COL_PROTOCOL, "ICT");

  linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
  line = tvb_get_ptr(tvb, offset, linelen);

  /* Since port 1510 is assigned to another protocol, according to
   * IANA (http://www.iana.org/assignments/port-numbers) :
   * mvx-lm          1510/udp    Midland Valley Exploration Ltd. Lic. Man.
   * we use some heuristic here
   */

  /* at least ICT_FIELDS chars are expected */
  if (linelen < ICT_FIELDS)
    return (FALSE);

  /* the last char must be a ':'*/
  if (line[linelen-1] != ':')
    return (FALSE);

  /* only ASCII chars are expected, check he first few chars */
  for (i = 0; i < ICT_FIELDS; i++)	{
    if (!isascii (line[i]))
      return (FALSE);
  }

  /*
   * ok, handle packet as an IBM ICT packet
   */

  if (check_col(pinfo->cinfo, COL_INFO)) {
    col_add_fstr(pinfo->cinfo, COL_INFO, "%s",
    pinfo->destport == ICT_PORT ? format_text(line, linelen) : "");
  }

  if (tree) {
    ti = proto_tree_add_item(tree, proto_ict, tvb, 0, -1, FALSE);
    ict_tree = proto_item_add_subtree(ti, ett_ict);

    next_offset = -1;
    for (i = 0; i < ICT_FIELDS; i++)	{
      offset = next_offset + 1;
      if ( (next_offset = tvb_pbrk_guint8(tvb,offset,-1,":")) >= linelen)
        break;

      len = next_offset - offset;
      proto_tree_add_text(ict_tree, tvb, offset, len, "%s: %s", fields[i],
        format_text(tvb_get_ptr(tvb, offset, len), len));
    }
  }
}

void
proto_register_ict(void)
{

  static hf_register_info hf[] = {
    { &hf_ict_string,
      { "ICT", "ict.string",
	FT_STRING, BASE_NONE, NULL, 0x0,
      	"ICT protocol", HFILL }}
  };
  static gint *ett[] = {
    &ett_ict,
  };

  proto_ict = proto_register_protocol("ICT Protocol", "ICT", "ict");
  proto_register_field_array(proto_ict, hf, array_length(hf));
  proto_register_subtree_array(ett, array_length(ett));
}

void
proto_reg_handoff_ict(void)
{
  dissector_handle_t ict_handle;

  ict_handle = create_dissector_handle(dissect_ict, proto_ict);
  dissector_add("udp.port", ICT_PORT, ict_handle);
}

Attachment: packet_ict.pcap
Description: Binary data

Attachment: pgpJwvkjc78zp.pgp
Description: PGP signature