Wireshark-dev: Re: [Wireshark-dev] Adding a protocol under ONC-RPC (disregard previous)
On Apr 23, 2009, at 1:35 PM, Andrew Kleinerman wrote:
My current project is integrating a small protocol into Wireshark for
analysis and I feel a little out of my depth. The protocol is sent
over TCP on a non-standard port and uses the Sun XDR RPC. I went
through the step-by-step guide of creating a basic dissector, and
Wireshark will recognize it as the new protocol.
The step-by-step guide doesn't apply to ONC RPC-based protocols; they
work differently.
However, my problem
is that I cannot call dissect_rpc or dissect_rpc_tcp from my dissector
(I'm assuming for some good reason) to dissect the RPC. So I'm
guessing I have to make the RPC dissector properly see it on a
different port (is that right?).
No - as per my reply to your previous message, you don't call the RPC
dissector, the RPC dissector calls you. It will heuristically
recognize traffic for your protocol on whatever port it appears.
FOO_HEADER:
#define FOO_HEADER 0xaa
You're using 0xaa as the program number for your protocol?
I read in the archives
(http://www.ethereal.com/lists/ethereal-dev/199911/msg00094.html) that
it's necessary to make sure the proper header is in COL_PROTOCOL, is
that correct? As in, the packet is identified as an RPC first and
then the RPC dissector looks to find if the header inside matches any
it knows about?
That mail was only talking about the "Protocol" column's text set, not
to the way the RPC dissector recognizes something as being your
protocol. (And we did end up changing things - the Protocol column is
now set, for ONC RPC-based protocols, from the "short name" for the
protocol, rather than its "filter name". For example, the short name
for the NIS server protocol is "YPSERV", and the filter name is
"ypserv", so the Protocol column says "YPSERV" but you filter for
those packets using "ypserv".)
And, yes, the packet is identified as an RPC first and then looks to
see if the program number is one of the ones that was registered with
it by rpc_init_prog() and, if so, checks whether a program table
exists for the version number and, if it finds one, looks for an entry
in the program table for the procedure number.
If so, how do you direct the RPC dissector to look on
a different port, or are packets on all ports heuristically checked
with all dissectors?
Packets on all UDP and TCP ports are heuristically checked by the ONC
RPC dissector.