First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How can I put data from two or more frames together in a custom Wireshark dissector?

Hi,

I'm writing a Wireshark plugin dissector for IO-Linkdata. In some special cases I have to collect data over 2 or 3 frames until its complete. I read about the conversation but I don't think I can work with this solution because I don't have addresses. In my case, one frame is master data + device data. I also looked at https://www.wireshark.org/docs/wsdg_h..., but this tutorial didn't help. Maybe I'm too inexperienced in C or programming in general to understand it without help.

Best regards

Rob

Robin26689's avatar
13
Robin26689
asked 2020-12-01 07:59:51 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2020-12-02 02:44:10 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Rob, Just curious what interface you intended to use for capturing the traffic and status of the entire project?

Onstege's avatar Onstege (2023-12-12 10:42:08 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Have a look at README.dissector section 2.7.2

Jaap's avatar
13.7k
Jaap
answered 2020-12-01 20:47:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

yes i did. i tried to add it to my code and i could build it without errors but nothing happens. Maybe its on the wrong place or i have to make some changes. I also read 2.7.1 Using tcp_dissect_pdus() because i know how long my data will be and in which case i will receive data over severall frames. I also have a bit which is incremented as long as the data is transmitted. I just can't figure out (yet) how to make it work. I just want to collect the data until its complete and then print it to the info colum from the last frame.

Robin26689's avatar Robin26689 (2020-12-02 07:01:59 +0000) edit
more
  • delete

Maybe if you describe your data a bit more, with the help of a link to a capture file, more specific advice can be offered.

grahamb's avatar grahamb (2020-12-02 11:05:42 +0000) edit
more
  • delete

i think i found a solution for now but im not sure if it works in every case. My data:

  • 1.Frame: 0xf0 0x5b 0xd1 0x16 0x69 0x66 0x6d 0x20 0x65 0x6c
  • 2.Frame: 0xe1 0xb0 0x65 0x63 0x74 0x72 0x6f 0x6e 0x69 0x63
  • 3.Frame: 0xe2 0x80 0x20 0x67 0x6d 0x62 0x68 0xa7 0x00 0x00

The first two bytes are always from the master. The Mastercommand is the first byte. I have a Bitmask with: |r/w (7)| |communication channel (6,5)| |adress (4-0)| If i have adress 16 followed by adress 1 (0xe1) and adress 2 (oxe2) i know that these 3 frames belongs together. Then form the first frame the 3rd byte d for the command and 1 says it has the external length which is the following byte 0x16. So i know i will have 22 bytes of data. The first byte is the command the ... (more)

Robin26689's avatar Robin26689 (2020-12-02 11:25:44 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer