Wireshark-dev: Re: [Wireshark-dev] dissector_add(tcp.proto... / where to find parameter for dis
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 23 Apr 2009 11:00:36 -0700

On Apr 23, 2009, at 3:41 AM, Eddie.1@xxxxxx wrote:

I want to dissect all TCP and UDP-Protocols (actually I only want to dissect Protocols with a special data length, but tvb_length(tvb) doesn't work before initializing.)

tvb_length() doesn't return the data length of a packet; it returns the amount of *captured* data in the tvbuff. You would want tvb_reported_length(), so it gives the right answer even for captures where the full packet data isn't necessarily captured, due to a snapshot length having been specified.

What you should do is have a *heuristic* dissector, which you would register with

	heur_dissector_add("udp", dissect_red, proto_red);

dissect_red() would return a gboolean - FALSE if the packet isn't a packet for your protocol, TRUE if it is. It would probably look like

	static gboolean
	dissect_red(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
	{
		if (tvb_reported_length(tvb) != CORRECT_DATA_LENGTH)
			return FALSE;

		dissect the packet;

		return TRUE;
	}

although I would strongly suggest that, if there's anything else in the packet to check whether it's a packet for your protocol or not (a message type field, for example) that you

1) check, using tvb_bytes_exist(), whether the data for that field is available in the tvbuff - if not, reject the packet;

2) if the data for that field is available, fetch it and check it, and if it doesn't look right for your protocol, reject the packet;

before dissecting the packet - the stronger the heuristics for a dissector, the better, as there will be fewer false positives (packets *not* for your protocol that your dissector accepts and dissects as packets for your protocol, possibly preventing it from being dissected for the right protocol).

For TCP, it's more complicated, as TCP is a byte-stream protocol, with no notion of packet boundaries for packets for the protocol being carried above it. What the dissector for a protocol running atop TCP gets handed is the contents of a TCP segment, which doesn't necessarily correspond to a packet. Presumably the protocols you're dissecting on top of TCP have some mechanism, such as a packet length field, to delimit packets in the byte stream. For those, you would probably want to check the length field in your heuristic dissector, if possible.