Dissector that decodes payload on another layer

dissector
retag add tags

Hi,

the dissector for ASTERIX packet-asterix.c in Wireshark dissects data that is sent via network. Until now, we have only seen these data sent over UDP and that is how the dissector works. There is a line in the dissector

dissector_add_uint_with_preference ("udp.port", ASTERIX_PORT, asterix_handle);

that defines that data is sent via UDP and dissector dissects it.

Now, I got a request to decode the same data being sent over MAC/LLC. The data are the same only the way, how they are sent is different.

How can I make the dissector to be able to decode also the MAC/LLC payload, too? All data dissecting code should stay the same. I guess I need to add something like this:

dissector_add_uint_with_preference ("llc.dsap", ???, asterix_handle);

but that is surely not enough, and I don't know how can that be done. I tried to add dissector_add similar to the one shown and some more stuff, but all I got was core dump at Wireshark start. I got some sample traffic for debugging, now I need to make Wireshark to decode it. S sample of a similar decoder, where I could see how that should be done, would be a perfect guidance.

Regards Marko

marko-hrastovec

asked 2020-05-15 06:35:56 +0000, updated 2020-05-15 10:48:00 +0000

edit flag offensive 0 remove flag close merge delete

Comments

If you could share a packet of your sample traffic we could have a look.

Anders (2020-05-15 07:03:48 +0000) edit

The sample traffic is here https://drive.google.com/file/d/1JR-2.... The data is the same as for UDP. In MAC/LLC Control Field is set to 0x03.

marko-hrastovec (2020-05-15 07:13:15 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

Adding

dissector_add_uint("llc.dsap", 0x2e, asterix_handle);

to proto_reg_handoff_asterix() caused it to dissect the packets with an LLC DSAP of 0x2e as ASTERIX; however, those are not all the packets in your capture.

Unfortunately, there is no support for "Decode As..." for LLC DSAPs, so you can't make it possible to select a packet and cause its LLC DSAP to be decoded as ASTERIX.

19.9k

Guy Harris

answered 2020-05-15 20:07:48 +0000

edit flag offensive 0 remove flag delete link

Comments

Thanks. I have tried it and it works. However, I guess I cannot submit a change like that, because it messes up other decoders for MAC/LLC. Am I right? Users who request that do not care if other MAC/LLC traffic will not be decoded as it should be. I can send them the change and they can build their own Wireshark from sources.

marko-hrastovec (2020-05-16 06:24:14 +0000) edit

Would it be possible to add asterix dissecting to packet-llc.c and submit it like that to Wireshark?

marko-hrastovec (2020-05-16 06:54:18 +0000) edit

As noted by Guy, your capture uses many different DSAP values so which one(s) should be used for Asterisk?

How is this traffic generated, can it be constrained to use the same DSAP?

If the DSAP's can't be constrained, then I guess you could add a LLC DSAP range preference to the Asterisk dissector and then it would register for those DSAP's with the llc dissector.

grahamb (2020-05-16 11:07:06 +0000) edit

Thanks! I will try to add it to packet-llc.c.

marko-hrastovec (2020-05-17 06:25:22 +0000) edit

Nope, the changes would be in the Asterisk dissector, it has the DSAP preference which is specific to asterisk and it registers the DSAP's with the llc dissector. The llc dissector is untouched.

grahamb (2020-05-17 11:27:48 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Dissector that decodes payload on another layer edit

Comments

1 Answer

Comments