Wireshark-dev: [Wireshark-dev] Duplicating TCP dissector
From: Randy Buck <sutekistudent@xxxxxxxxx>
Date: Fri, 1 Jul 2011 10:53:55 -0600
Hi,

I am building many new versions of TCP in user space.  All packet headers are the same (IP, then TCP).  The packets will be sent/received over raw sockets.  So I can filter out my TCP versions with actual kernel TCP I am using other protocol numbers besides 6.  I wish to view these traces in wireshark to ensure that the implementations are correct.  I am logging all packets to a pcap file and am able to view them fine in wireshark.  The issue at hand is that wireshark will only recognize TCP packets if the protocol number in the IP field is 6.  I wish to view these packets as a TCP trace in wireshark.  As far as I see it, I have a couple of options:

1. Change the source such that it will recognize the protocol numbers that I wish to view as TCP.  I have already changed the IP_PROTO_TCP macro in epan/ipproto.h to one of the protocol numbers that I am using, recompiled and successfully viewed the trace.  I can see how I could modify all places this macro is being used and check for all versions that I have.  This approach is neither very  clean nor easily extensible for new protocols and could potentially break something if multiple flows evaluated to the same protocol. I have also thought of changing the macro to a global variable which is set via a command line option.  This would limit wireshark to only recognizing one type of flow at a time which is okay, but not perfect.

2. Use a dissector to duplicate the TCP dissector that exists.  The problem here is that I am not sure if writing a dissector for a TCP implementation that I am using will still allow me to use the graphing, following, etc. of TCP traces.  (This is some of the main functionality that I would like.)

I am open for other suggestions, but my question is, what is the best way to view TCP packets/traces in wireshark that do not use protocol 6 in the IP header?

--
Randy Buck