First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

multiple lua dissectors using same ports

Hello,

I custom dissectors (for each protocol) which uses same ports:

  1. protocol A uses ports 1000 and 2000 (some messages are with src and dst 1000, other with src 1000 and dst 2000)
  2. protocol B uses ports 2000 and 3000 (some messages are with src and dst 2000, other with src 2000 and dst 3000)
  3. protocol C1 uses ports 3000 and 4000 (some messages are with src and dst 3000, other with src 3000 and dst 4000)
  4. protocol C2 uses ports 4000 and 5000 (some messages are with src and dst 4000, other with src 4000 and dst 5000)

some additional information:

  • all those protocols have common header (lets say AB:CD), there maybe other protocols with same headers.
  • C1 and C2 are same protocols, but have different destination - therefore the differentiation.
  • For each protocol, two of the messages for each protocol are with pretty high rate (50msec).

I'd like to have some easy identification of those protocols in the Wireshark stream.

What is the suggestion for creating those dissectors? Some of the things I've thought of:

  • I can create all the protocols in one file and associate all those ports, but in such case it would be harder to identifiable (will have to add also port numbers for the filtering rather than only the name).
  • generate 3 dissectors and in each dissector to verify the (src,dst) ports - I've tried it, but it is not always working. probably there is a meaning for the order in the init.lua
BMWE's avatar
1
BMWE
asked 2020-04-09 16:47:14 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Can't you add them as one dissector, in that dissector determine the "sub-type" by inspecting the src and dst ports (pinfo) and adding a "generated" field that indicates the sub-type. This field can be added as a column and filtered on.

grahamb's avatar
23.8k
grahamb
answered 2020-04-09 17:35:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

It is an option. I'd be glad glad if you can clarify little bit more on this, especially on the mentioned field

BMWE's avatar BMWE (2020-04-09 17:42:51 +0000) edit
more
  • delete

Create a ProtoField that reflects your protocol variants, type of your choosing, add it to the tree using a locally derived value from inspecting the ports, using add(YourProtoField, YourLocalValue), and call set_generated(TRUE) on the tree item previously added..

grahamb's avatar grahamb (2020-04-10 07:40:54 +0000) edit
more
  • delete

OK, I see your point. I'll test it on next working day

BMWE's avatar BMWE (2020-04-10 08:01:15 +0000) edit
more
  • delete

Found an example in the Post dissector example, look at the ProtoField max_gap_field and local value max_gap .

grahamb's avatar grahamb (2020-04-10 08:14:31 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer