First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to setup a totally new dissector for the data without UDP/TCP header

In the chapter 9.2.1 of developing guide book,

there is a disssector example 9.2. (Dissector Handoff)

void proto_reg_handoff_foo(void)
{

    static dissector_handle_t foo_handle;

    foo_handle = create_dissector_handle(dissect_foo, proto_foo);

    dissector_add_uint("udp.port", FOO_PORT, foo_handle);
}

The example always has a related basement, like UDP, TCP or so on. I would like to parse the whole enhanced packet block (data payload) from the first byte(bit) [of course, I have a header in the packet, to identify it from other interface's protocol ], how to wirte the code?

I try to follow plugins\grython code and the developing guide book, but all code are related with some conditions, like udp, or tcp, and just parse the data from a special port, I would like to get help for the new idea.

Thanks in advance.

qutefu's avatar
5
qutefu
asked 2017-12-15 00:24:46 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2017-12-15 05:17:28 +0000
edit flag offensive 0 remove flag close merge delete

Comments

I would like to parse the whole enhanced packet block (data payload) from the first byte(bit) [of course, I have a header in the packet, to identify it from other interface's protocol ]

By "other interface's protocol" do you mean that these packets are coming from a particular network interface?

And do you mean that you want all packets for that interface to be handled by your protocol?

I try to follow plugins\grython code and the developing guide book, but all code are related with some conditions, like udp, or tcp

Or Ethernet/802.11/PPP/whatever? I.e., your protocol isn't running atop any other link-layer protocol, it is the link-layer protocol?

Guy Harris's avatar Guy Harris (2017-12-15 05:20:23 +0000) edit
more
  • delete

Yes, I need to parse it from the first byte of the whole payload in EPB (pcapng format file), I have some special bytes at the header of the packet, and special byte order for special communication proposal.

With lua embedded script, I have implemented it. I have received all tvb data which is the whole payload in EPB (pcapng format file), it is working fine.

Now, I need to use c code under plugins folder to handle it.. Thanks a lot.

qutefu's avatar qutefu (2017-12-15 07:30:05 +0000) edit
more
  • delete

So what LinkType is present in the Interface Description Block? (can't be '1', since you stated there are some special bytes at the header (I assume you mean 'at the beginning') of the packet).

Jaap's avatar Jaap (2017-12-15 09:44:05 +0000) edit
more
  • delete

Since LinkType is 2 bytes, I set it to 999 in IDB now, since I know it should be available in my testing for time being.

qutefu's avatar qutefu (2017-12-15 16:52:36 +0000) edit
more
  • delete

(Reformatted so it shows up correctly.)

/* Reserved for private use. */
    { 147,      WTAP_ENCAP_USER0 },
    { 148,      WTAP_ENCAP_USER1 },
    { 149,      WTAP_ENCAP_USER2 },
    { 150,      WTAP_ENCAP_USER3 },
    { 151,      WTAP_ENCAP_USER4 },
    { 152,      WTAP_ENCAP_USER5 },
    { 153,      WTAP_ENCAP_USER6 },
    { 154,      WTAP_ENCAP_USER7 },
    { 155,      WTAP_ENCAP_USER8 },
    { 156,      WTAP_ENCAP_USER9 },
    { 157,      WTAP_ENCAP_USER10 },
    { 158,      WTAP_ENCAP_USER11 },
    { 159,      WTAP_ENCAP_USER12 },
    { 160,      WTAP_ENCAP_USER13 },
    { 161,      WTAP_ENCAP_USER14 },
    { 162,      WTAP_ENCAP_USER15 },

From Pcap-common.c Seems it maybe easy if I use linkType of user0~15 to solve it. right?

qutefu's avatar qutefu (2017-12-15 18:17:28 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

What you should do is either:

  • get an official LINKTYPE_value assigned for your link-layer packet type, by sending a message to [email protected], use that rather than 999, add an official WTAP_ENCAP_ value for it in wiretap/wtap.h, modify wiretap/pcap-common.c to map the LINKTYPE_ value to the WTAP_ENCAP_ value, and have your dissector register in the wtap_encap dissector table with the WTAP_ENCAP_ value;

or

  • use one of the LINKTYPE_USERn values specifically reserved for private use (as per the list of LINKTYPE_ values, those are values in the range 147 through 162), open up the Preferences dialog in Wireshark, open up Protocols in that dialog, select DLT_USER, and edit the Encapsulations Table and arrange that the LINKTYPE_USERn/DLT_USERn value you used be dissected by your dissector.

The second of those is simpler, but doesn't guarantee that other users won't use the same LINKTYPE_USERn value for a different type of link-layer header.

Guy Harris's avatar
19.9k
Guy Harris
answered 2017-12-15 18:16:05 +0000
grahamb's avatar
23.8k
grahamb
updated 2017-12-15 18:55:45 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hi Hurris, thank you so much. I am going to use the first one. It should work fine locally now.

qutefu's avatar qutefu (2017-12-18 17:59:31 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer