Wireshark-dev: Re: [Wireshark-dev] dissector_add(tcp.proto... / where to find parameter for dis
On Apr 23, 2009, at 3:41 AM, Eddie.1@xxxxxx wrote:
I want to dissect all TCP and UDP-Protocols (actually I only want to
dissect Protocols with a special data length, but tvb_length(tvb)
doesn't work before initializing.)
tvb_length() doesn't return the data length of a packet; it returns
the amount of *captured* data in the tvbuff. You would want
tvb_reported_length(), so it gives the right answer even for captures
where the full packet data isn't necessarily captured, due to a
snapshot length having been specified.
What you should do is have a *heuristic* dissector, which you would
register with
heur_dissector_add("udp", dissect_red, proto_red);
dissect_red() would return a gboolean - FALSE if the packet isn't a
packet for your protocol, TRUE if it is. It would probably look like
static gboolean
dissect_red(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
if (tvb_reported_length(tvb) != CORRECT_DATA_LENGTH)
return FALSE;
dissect the packet;
return TRUE;
}
although I would strongly suggest that, if there's anything else in
the packet to check whether it's a packet for your protocol or not (a
message type field, for example) that you
1) check, using tvb_bytes_exist(), whether the data for that field is
available in the tvbuff - if not, reject the packet;
2) if the data for that field is available, fetch it and check it,
and if it doesn't look right for your protocol, reject the packet;
before dissecting the packet - the stronger the heuristics for a
dissector, the better, as there will be fewer false positives (packets
*not* for your protocol that your dissector accepts and dissects as
packets for your protocol, possibly preventing it from being dissected
for the right protocol).
For TCP, it's more complicated, as TCP is a byte-stream protocol, with
no notion of packet boundaries for packets for the protocol being
carried above it. What the dissector for a protocol running atop TCP
gets handed is the contents of a TCP segment, which doesn't
necessarily correspond to a packet. Presumably the protocols you're
dissecting on top of TCP have some mechanism, such as a packet length
field, to delimit packets in the byte stream. For those, you would
probably want to check the length field in your heuristic dissector,
if possible.