Wireshark-dev: Re: [Wireshark-dev] How do I make use of my dissector.
From: "Neha Chahal" <neha.chahal@xxxxxxxxx>
Date: Fri, 17 Nov 2006 17:11:15 -0800
Is there a hueristic dissector I can follow to write my dissector. Can someone please point me to a sample program or some documentation on this.
Thank you
Neha
--
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414
Thank you
Neha
On 11/17/06,
Neha Chahal <neha.chahal@xxxxxxxxx> wrote:
Thank you !
My capture file just has packets in my protocol format. It does not have udp or tcp packets encapsulating other protocols ( for now ) . It is strictly binary stream in the LEA format. So I think I should write a hueristic dissector. Will this work ? Right now the TCP/UDP headers are already stripped off by the application layer. Can i just right a dissector independent of the udp/tcp ports/protocol. ?
And I will move to wireshark. I have already actually.
Thank you
Regards, Neha--On 11/17/06, Guy Harris < guy@xxxxxxxxxxxx> wrote:
On Nov 17, 2006, at 2:53 PM, Neha Chahal wrote:
> I have a dissector and a capture file. I am not capturing packets on
> the network.
>
> This is how I execute tethereal.
>
> tethereal -r capture.out -V -T pdml
>
> 1. I wrote a module in the wiretap/ dir and tethereal is able to
> understand the format of my capture file. Here I think the seek_read
> method is not bieng called. Isn't this the method that gives the
> packet to the dissector?
No.
That is one of the *two* methods that are called by the code that,
after calling those methods and getting packet data, calls the top-
level dissection code.
The other method is the read method. Since TShark (which is what you
should be using, not tethereal; see the parenthetical note below)
sequentially reads through the capture file, it uses only the read
method, not the seek_read method.
(Note that any help we give you will be help that pertains to working
with the latest version of the code, and the latest version is called
Wireshark, not Ethereal, and the command-line version is called
TShark, not Tethereal; if you're going to be developing protocols, I
strongly suggest that you do so with the latest release of Wireshark,
or with the top-of-tree Subversion tree of Wireshark, rather than with
the last version of Ethereal that was ever produced.)
> 2. But my problem is that it doesnot call my dissector.
>
> in the dissector code I have the -->
> dissector_add("udp.port " , ...) .
>
> Question is : I want to use a capture a file not a port to listen on.
The "port" refers to the source and destination port fields in the UDP
header, not to a network port on which you would be capturing.
That call implies that your protocol runs on top of UDP. Either
1) it has a standard UDP port number that it always uses, in which
case you specify that UDP port number
or
2) it doesn't have a standard UDP port number, in which case you will
have to do one of the following:
1) write a heuristic dissector that looks at packets and tries to
determine whether they look like packets for your protocol;
2) add a preference setting to your dissector, allowing one or more
UDP port numbers to be specified, and register it using those port
numbers (and re-register if that preference is changed) - you'd be
able to set that preference value from the command line in TShark with
the "-o" option;
3) register it as a UDP dissector with no port number and, in a
capture, select a packet that you think is a packet for your protocol
and use the "Decode As" menu item to decode it using your dissector -
that, obviously, won't work with TShark at all.
> Is there some thing else I need to specify instead of the "
> udp.port", if I have to what is this ? Does it matter?
See above.
> 3. I know my dissector registers with tethereal. But I dont know on
> what criteria does tethereal decide to call my dissector.
See above. It has to register itself in such a way as to *tell*
Wireshark or TShark when to call it, for example, by registering as a
heuristic dissector (in which case it's called if no other dissector
has dissected it yet, and your dissector either returns FALSE to
indicate that it's not a packet for your protocol or dissects it and
returns TRUE to indicate that it is a packe for your protocol), or by
registering with the "udp.port" dissector table with a particular port
number (in which case a UDP packet to or from that port number will be
dissected by your dissector), or by registering it as a UDP dissector
with no port number (in which case it'll be used to dissect packets if
you tell Wireshark to do so using Decode As).
> 4. Currently the output with -V option shows the bytes in each frame
> but the protocol is "data". Also I tried printing some logs in the
> call_dissector method and saw the current_protocol values to be
> FRAME, DATA and MATE at runtime. I want this to be my protocol.
>
> This is what my output look like
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> The current protocol is [<Missing Protocol Name>] The protocol is
> [Frame]: The protocol is [Data]: The current protocol is [Frame]
> The protocol is [MATE]:
> <packet>
> <proto name="geninfo" pos="0" showname="General information"
> size="25">
> <field name="num" pos="0" show="15" showname="Number" value="f"
> size="25"/>
> <field name="len" pos="0" show="1149" showname="Packet Length"
> value="47d" size="25"/>
> <field name="caplen" pos="0" show="25" showname="Captured
> Length" value="19" size="25"/>
> <field name="timestamp" pos="0" show="Nov 9, 2006 10:39:
> 34.000634553" showname="Captured Time" value=" 1163097574.000634553"
> size="25"/>
> </proto>
> <proto name="frame" showname="Frame 15 (1149 bytes on wire, 25
> bytes captured)" size="25" pos="0">
> <field name="frame.marked" showname="Frame is marked: False"
> hide="yes" size="0" pos="0" show="0"/>
> <field name=" frame.time " showname="Arrival Time: Nov 9, 2006
> 10:39: 34.000634553" size="0" pos="0" show="Nov 9, 2006
> 10:39:34.000634553"/>
> <field name="frame.time_delta " showname="Time delta from
> previous packet: 0.000017267 seconds" size="0" pos="0" show="
> 0.000017267"/>
> <field name="frame.time_relative " showname="Time since reference
> or first frame: 0.000024200 seconds" size="0" pos="0"
> show="0.000024200"/>
> <field name="frame.number" showname="Frame Number: 15" size="0"
> pos="0" show="15"/>
> <field name="frame.pkt_len" showname="Packet Length: 1149 bytes"
> size="0" pos="0" show="1149"/>
> <field name="frame.cap_len" showname="Capture Length: 25 bytes"
> size="0" pos="0" show="25"/>
> <field name="frame.protocols" showname=" Protocols in frame:
> data" size="0" pos="0" show="data"/>
> </proto>
> <field name="data"
> value="85e4c90400095031455375e670001902000d00ce000f0800e6"/>
> </packet>
> </pdml>
There's no UDP in there, there's just "data". Registering with a
particular UDP port won't do you any good, there - and neither will
registering as a heuristic dissector for UDP.
What protocols are in the capture file you're reading?
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414
--
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414
- Follow-Ups:
- Re: [Wireshark-dev] How do I make use of my dissector.
- From: Guy Harris
- Re: [Wireshark-dev] How do I make use of my dissector.
- References:
- [Wireshark-dev] How do I make use of my dissector.
- From: Neha Chahal
- Re: [Wireshark-dev] How do I make use of my dissector.
- From: Guy Harris
- Re: [Wireshark-dev] How do I make use of my dissector.
- From: Neha Chahal
- [Wireshark-dev] How do I make use of my dissector.
- Prev by Date: Re: [Wireshark-dev] How do I make use of my dissector.
- Next by Date: Re: [Wireshark-dev] wierd display issue ..
- Previous by thread: Re: [Wireshark-dev] How do I make use of my dissector.
- Next by thread: Re: [Wireshark-dev] How do I make use of my dissector.
- Index(es):