Wireshark-dev: Re: [Wireshark-dev] Question about port registrations
From: "Bryant Eastham" <beastham@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 28 May 2009 07:47:06 -0600

Again, sorry, comments at the bottom…

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Peter Johansson
Sent: Thursday, May 28, 2009 5:53 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Question about port registrations

 

2009/5/28 Bryant Eastham <beastham@xxxxxxxxxxxxxxxxxxxxxxxxxxx>

Comments inline. Sorry, outlook isn't the greatest.


-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx

[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Wednesday, May 27, 2009 9:05 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Question about port registrations

On May 27, 2009, at 7:20 PM, Martin Visser wrote:

> So for Bryant's question is the issue that his customer didn't
> capture the initial SYN/SYN-ACK handshake, and hence Wireshark
> didn't have opportunity to remember which was the initial
> destination port (and hence "server" port and the one the one he
> would be interested in dissecting for?

At least one issue is that Wireshark *doesn't* remember the initial
destination port, and just tries the lower-numbered port first, so the
initial SYN or SYN+ACK won't help.  Whether the capture had the
initial SYN or SYN+ACK is another matter.

[Bryant Eastham] This seems like bad behavior. I can understand that
[Bryant Eastham] not all protocols define session startup, but in
[Bryant Eastham] the case of TCP/IP wouldn't it be better (if
[Bryant Eastham] available) to use the direction of the session
[Bryant Eastham] to prioritize the dissector choice?
[Bryant Eastham] Maybe the dissector that is making the call to
[Bryant Eastham] the sub-dissector through the lookup table should
[Bryant Eastham] indicate the "direction", which could guide the
[Bryant Eastham] choice?

 

How would you suggest that the direction would be known to any dissector in the event that the capture you have at hand is not including the part where then SYN packets are exchanged in this case?

Even if the Wireshark framework would change according to your suggestion where the TCP dissector would indicate for sub-dissectors the "direction" of the communication, you would still have to be able to handle the case in the sub-dissector when the TCP dissector does not have a clue (since it never saw the SYN packets being exchanged). This would then have to be part of the possible input to the sub-dissector (direction is either "to client"/"to server"/"unknown").

Hence back to square one again.

 

Personnally I have handled the same type of situation when it has struck me by one out of two choices:

1. Disable dissection for all protocols, then enable dissection for the ones you are really interested in (for instance TCP and your own in this case).

2. Make sure your sub-dissector handles heuristics and enable heuristics in the TCP dissector, that way your sub-dissector should be able to take ownership of the session in question.

 

Best regards, Peter

 

[Bryant Eastham] Sorry, my bad. I had assumed (not having looked at the code) that the subdissector choice

[Bryant Eastham] was managed by Wireshark. Looking at the TCP implementation, I now see the code that

[Bryant Eastham] disagree with (although the logic of the decision is stated clearly in the comment).

[Bryant Eastham] I also note that the dissector is already keeping a conversation per session (as best

[Bryant Eastham] it can), and so the recommendation would be to keep track of the direction if it is known,

[Bryant Eastham] and to use that direction to modify the port choice to prefer the “server” port. It seems

[Bryant Eastham] that the decision need only be made once, when the session conversation data

[Bryant Eastham] structure is created. The conversation would then contain the port that will be used

[Bryant Eastham] for all subdissector calls in that session. If the first packet in the session does not

[Bryant Eastham] indicate direction then the existing “lower port” logic would be used.

[Bryant Eastham] Not knowing the details of TCP (thankfully) the only part I would be unclear on is

[Bryant Eastham] whether from a single packet you can make any determination as to the “direction”,

[Bryant Eastham] or whether it is possible to distinguish from a single packet whether the session is

[Bryant Eastham] beginning. That logic would be required in the conversation initialization code.