First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

registering two protocol plugin sharing a same port

I have two plugins ABC and XYZ, ABC protocol uses port 3100 and XYZ any port between (1024 and 9000)

dissector_add_uint("tcp.port", "3100", ABC_handle);
dissector_add_uint_range_with_preference("tcp.port", "1024-9000", XYZ_handle);

when the XYZ protocol uses the port 3100, the Wireshark dissects that packet as ABC, but it was supposed to dissect it as ZXY.

how can I handle this case?

Thanks in advance

Dhanu Sh Alz's avatar
1
Dhanu Sh Alz
asked 2018-08-23 06:02:55 +0000, updated 2018-08-23 06:03:39 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

You can't simultaneously register the ABC and XYZ dissector for port 3100, as there would be no way to determine whether it's protocol ABC or protocol XYZ. You can, however, register the ABC dissector for port 3100 and the XYZ dissector for ports 1024 through 3099 and 3101 through 9100:

dissector_add_uint("tcp.port", "3100", ABC_handle);
dissector_add_uint_range_with_preference("tcp.port", "1024-3099,3101-9000", XYZ_handle);
Guy Harris's avatar
19.9k
Guy Harris
answered 2018-08-23 07:20:41 +0000
edit flag offensive 0 remove flag delete link
more

Comments

@Guy Harris Both protocols do have the first Byte as protocol identification, can't it be used for dissection between the protocols packets having the same port.

Dhanu Sh Alz's avatar Dhanu Sh Alz (2018-08-23 07:25:37 +0000) edit
more
  • delete

It can but you need to use a "pre-dissector" which you register as a dissector for the full port range and let it invoke one of the two real dissectors depending on the conditions (if the port is 3100 and the first byte identifies one protocol, call the dissector for that protocol, otherwise call the dissector for the other protocol). Or you can merge the code of the two dissectors if that makes more sense. A single dissector plugin may register multiple protocol names.

sindy's avatar sindy (2018-08-23 20:44:31 +0000) edit
more
  • delete

@sindy How does the pre-dissector actually works, is there any example in the Wireshark i can look for?

Dhanu Sh Alz's avatar Dhanu Sh Alz (2018-08-24 07:34:59 +0000) edit
more
  • delete

"pre-dissector" is not an official name, that's why I've put it into quotation marks. It is just a piece of code with the formal structure of a dissector which registers itself as a dissector to the tcp table, but its executive part (the dissector function) doesn't really handle the data, it just calls one or the other dissector depending on the conditions. As said, you may instead tell the XYZ dissector to invoke the ABC dissector and pass to it the whole tvb to do the real job if it finds out that the port is 3100 and the first byte in the tvb identifies protocol ABC. The ABC need not be registered to the dissection table indexed by TCP port numbers, it is enough that it is registered as such and the XYZ knows its handle.

sindy's avatar sindy (2018-08-26 13:24:28 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer