Wireshark-dev: Re: [Wireshark-dev] Adding a protocol under ONC-RPC (disregard previous)
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 23 Apr 2009 13:58:36 -0700

On Apr 23, 2009, at 1:35 PM, Andrew Kleinerman wrote:

My current project is integrating a small protocol into Wireshark for
analysis and I feel a little out of my depth.  The protocol is sent
over TCP on a non-standard port and uses the Sun XDR RPC.  I went
through the step-by-step guide of creating a basic dissector, and
Wireshark will recognize it as the new protocol.

The step-by-step guide doesn't apply to ONC RPC-based protocols; they work differently.

However, my problem
is that I cannot call dissect_rpc or dissect_rpc_tcp from my dissector
(I'm assuming for some good reason) to dissect the RPC.  So I'm
guessing I have to make the RPC dissector properly see it on a
different port (is that right?).

No - as per my reply to your previous message, you don't call the RPC dissector, the RPC dissector calls you. It will heuristically recognize traffic for your protocol on whatever port it appears.

FOO_HEADER:
   #define FOO_HEADER    0xaa

You're using 0xaa as the program number for your protocol?

I read in the archives
(http://www.ethereal.com/lists/ethereal-dev/199911/msg00094.html) that
it's necessary to make sure the proper header is in COL_PROTOCOL, is
that correct?  As in, the packet is identified as an RPC first and

then the RPC dissector looks to find if the header inside matches any
it knows about?

That mail was only talking about the "Protocol" column's text set, not to the way the RPC dissector recognizes something as being your protocol. (And we did end up changing things - the Protocol column is now set, for ONC RPC-based protocols, from the "short name" for the protocol, rather than its "filter name". For example, the short name for the NIS server protocol is "YPSERV", and the filter name is "ypserv", so the Protocol column says "YPSERV" but you filter for those packets using "ypserv".)

And, yes, the packet is identified as an RPC first and then looks to see if the program number is one of the ones that was registered with it by rpc_init_prog() and, if so, checks whether a program table exists for the version number and, if it finds one, looks for an entry in the program table for the procedure number.

If so, how do you direct the RPC dissector to look on
a different port, or are packets on all ports heuristically checked
with all dissectors?

Packets on all UDP and TCP ports are heuristically checked by the ONC RPC dissector.