First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Setting a field optional when registering the header? (possible?)

I am a complete newbie when it comes to Wireshark and know just some basics of networking. This is my first time trying to make a dissector and I am using C++ to make the dissector. I have a protocol that has a large number of messages with unique element which tells me what kind of message it is, in the header. But, there are two formats for the header in the spec, one has 4 values while the other has 3. The 3 values are common between them. Is there any way I can set the header value to be optional? (and if I do set it optional, how would wireshark know is it is present or not?) If there is no way to do that, what would be a good way of making a dissector that meets the aforementioned requirements?

anonymous user
asked 2018-11-21 19:59:37 +0000, updated 2018-11-21 20:00:56 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Is there a field in the header that indicates which format for the header is being used?

Guy Harris's avatar Guy Harris (2018-11-21 20:50:55 +0000) edit
more
  • delete

Hi Harris, I have a field which says which type of message I have and from the message I know what it's header looks like!

do_more's avatar do_more (2018-11-26 00:05:02 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

A first observation is that using C++ for a dissector isn't supported, but, depending on what C++ constructs you use, you might get it to work. The normal target for dissectors is C99.

Many dissectors handle field presence. In general, you register all the fields, but you only add data to it (.e. with proto_tree_add_item) if the field is present in the packet.

If your protocol provides sufficient info in the packet to determine which header is in use (maybe a key value, or message length or something else distinctive), then you can simply program that in your dissector. If it doesn't, then you'll require user support with a preference to indicate which header type is in use.

grahamb's avatar
23.8k
grahamb
answered 2018-11-21 20:54:51 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you so much Graham for the answer. Although I have a question on the proto_tree_add_item thing. I have to register my header before I dissect yeah? So if I have different headers, can I only register the part of my header that is going to be that same and then dissect the other part according to the message using the proto_tree_add_item? Or do I register the whole header and then use proto_tree_add_item on the fields that I need to dissect?

do_more's avatar do_more (2018-11-26 00:07:59 +0000) edit
more
  • delete

Field registration is (normally) done before dissection, so register all fields, then dissect and add items as required.

grahamb's avatar grahamb (2018-11-26 18:41:22 +0000) edit
more
  • delete

I'm not quite sure I follow your question so this response may not be relevant but here it is anyway: keep in mind you're not registering an entire packet header (with the hf fields). You're registering individual fields. A given protocol header will (typically) consist of several (if not many) fields. For example a version field, a length field, etc.

Then you write C code which dissects these fields. Step 1 might be to dissect the version field. Once you know that you might call 2 different functions depending on the version. The v3 dissection function might dissect fields A, B, and C. The v4 dissection function might dissect fields A, X, Y, and Z (yes, a given field might be the same in both versions). What hf's you register must simply include all fields for all versions of the protocol.

JeffMorriss's avatar JeffMorriss (2018-11-26 18:43:11 +0000) edit
more
  • delete

Okay. So, from what I understand-

  1. Register all fields in the header for all the types of header.
  2. Dissect only the fields which I need until I get what type of packet I am dissecting.
  3. Then dissect the packet accordingly.

Is that correct?

Also, another question from the Wireshark Developer Guide, the proto_tree_add_item, is it used to display the details on the screen yes?

do_more's avatar do_more (2018-11-27 05:23:42 +0000) edit
more
  • delete

The order you noted is correct, apart from the field registration should include all fields that might possibly be dissected.

Pedantic note, dissectors don't "display on the screen", they add items to the proto tree and\or columns that then allows whatever UI is being used, Qt, cli etc. to render the items accordingly. So yes, use proto_tree_add_item() to add protocol elements to the tree so that they can be displayed on screen.

grahamb's avatar grahamb (2018-11-27 11:13:16 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer