Wireshark-dev: Re: [Wireshark-dev] decoding TCP options
From: Sach Kmat <sachkmat@xxxxxxxxx>
Date: Wed, 11 Nov 2009 17:57:40 -0800
Thank you for the reply. I mistakenly sent the first mail from an
unregistered mail.

I had some follow up questions.

In my wieshark plugin, I do not want to duplicate the code that
already does tcp decoding.
I want to extend what the tcp dissector does. What would be the best
way to do this?

If my plugin has to just look at the options and see if my special
option is present,
can I use a tap? I will let tcp do its decoding, and in my tap
listener, can i look at only the options part
and retrieve some information.

Is it also possible to update the the info column in the tap listener?

I experimented with a tap for tcp, but the tap listener was called
only once, or when i apply a new filter.

The README.tapping says
"Tap listeners are only called when Wireshark reads a new capture for
the first time or whenever Wireshark needs to rescan/redissect
the capture."

but also says -

"After each individual packet has been completely dissected and all
dissectors have returned, all the tap listeners that have been flagged
to receive tap data during the dissection of the frame will be called in
sequence."

The second text kinda made me think that the tap listener would be
called once after
each individual packet after  dissectors have returned. Am I reading this wrong?

regards,
sk

On Nov 10, 2009, at 11:05 AM, Sach Kmat wrote:


    I have a question regarding tcp options in a dissector. I have a
    dissector which dissects some specific protocols. I also need to
    decode http and other common protocols, but only the TCP options part
    of of these messages because i need to display some specific options,
    everything else in the common protocols should be displayed a usual. I
    tried doing a "decode as" for these common protocols and choosing my
    dissector, but my dissect function does not seem to be called.

    I was wondering if there is some way to do this.
    1. to decode the options part of common protocols or say dissect all
    packets and look at their options part.
    2. once i decode the options part, get wireshark to do the rest of
    decoding as usual.

    i really appreciate any help.

As Kary Rogers said the last time you asked:


    TCP options are decoded in packet-tcp.c as a part of TCP dissection.
    To decode your own TCP options you'll need to extend the TCP
    dissector.  You might look at MSS decoding as a simple example.
    Search for dissect_tcpopt_maxseg in packet-tcp.c.

Perhaps your other e-mail address isn't on the Wireshark list; replies
to messages on the list go, by default, only to the list, so if you're
not subscribed to the list, you wouldn't have seen Kary Rogers'
reply.  Hopefully, your GMail address is on the Wireshark list.