First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to register a packet dissector for packets whose port are not pre-defined?

Hi Team,

My protocol has two phase - 1. Control phase 2. Measurement phase.

The responder node would by default open a port at number ABC

[x]----------------->[ABC]

[x]<-----------------[ABC]

During the control phase, initiator asks the responder node to open a port at no. "Y"

[x]------------------>[Y]

[x]<------------------[Y]

Now I need to write a packet dissector to dissect this kinda packet. What i know is we can register a packet dissector in wireshark framework against a particular port number. So when wireshark finds a packet it looks for the dissector which has registered for that port number and call that dissector to dissect that packet.

So now if i register my dissector at port number ABC, then it can dissect control packets. however, my measurement phase packets wont be associated with port number ABC, my dissector wont be triggered to handle those packets.

So how can I register my dissector to dissect both the kinda packets?

Thanks and regards, Darshan L.

DarshanL's avatar
1
DarshanL
asked 2019-09-18 15:19:15 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

3 Answers

0

You can use multiple ports for the dissector so that both ports (ABC and Y) would be registered.

taking from the example 

local wtap_encap_table = DissectorTable.get("wtap_encap")
local udp_encap_table = DissectorTable.get("udp.port")

wtap_encap_table:add(wtap.USER15, p_multi)
wtap_encap_table:add(wtap.USER12, p_multi)
udp_encap_table:add(7555, p_multi)
udp_encap_table:add(7666, p_multi)
udp_encap_table:add(7777, p_multi)
BMWE's avatar
1
BMWE
answered 2019-09-21 18:40:28 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

thre .register_heuristic can do this job.

determine proto by custom logic, rather than port. 

-- heuristic_checker: determine which dissector to use
local function heuristic_checker(buffer, pinfo, tree)
    -- check length
    length = buffer:len()
    if length < 4 then return false end

    -- check something..

    if true then
        -- use my dissector
        MyProto.dissector(buffer, pinfo, tree)
        return true
    else 
        return false
    end
end

-- registe to udp
MyProto:register_heuristic('udp', heuristic_checker)

ref:
https://mika-s.github.io/wireshark/lu...

yurenchen's avatar
1
yurenchen
answered 2021-04-10 12:11:47 +0000, updated 2021-04-10 14:34:56 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

This is not an uncommon scenario. Protocols like FTP and VoIP protocols have similar characteristics. For FTP its the opening of a data connection, after negotiation via the control channel on the well-known FTP server port. In VoIP there is the example of SIP, which uses SDP to negotiate the ports to which the audio data is to be sent with RTP.

The infrastructure in Wireshark to support this is the 'conversation'. It's defined by its endpoints (IP/proto/port tuple, with optional wildcards) and can dynamically associate a protocol dissector to such conversation, eg. based on what is negotiated in a control channel. The README.dissector file has more information on this and the FTP and SDP dissectors should be illustrative as well.

Jaap's avatar
13.7k
Jaap
answered 2019-09-18 16:29:45 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hi, As suggested either have preference for the control protocol port(s) or do decode as to dissect the control protocol. Then in the control protocol dissection set up the conversation for the data protocol port(s) based on the i formation received in the control protocol. There is numerous examples in the code base and some info in the readme files on conversations.

Anders's avatar Anders (2021-04-11 11:00:13 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer