Wireshark mailing list archives

Re: display filtering + how to analyze some TCP packets

From: Guy Harris <guy () alum mit edu>
Date: Tue, 25 Oct 2011 09:37:51 -0700


On Oct 25, 2011, at 8:26 AM, Teto wrote:

1st question:
It took me some time but thanks to README.developer I think I
understand how display filtering works now. I was wondering if it was
possible to update an item's header field id after its creation.

No.

For example:
proto_item* pi = proto_tree_add_text(subtree,tvb,offset,4,"Type: %u",type);
set_item_header_field(&hf_my_field_id);   /// for example. Does any
equivalent function exists


No such function will ever exist.  You must choose which field to add *at the time you add it*.

What is it you're trying to do here?

And my 2nd question would be:
There is some TCP traffic going on random ports concerning the
protocol I analyze. How can I assign this traffic to my dissector ? It
needs to analyze the first bytes to know if it matches my protocol.
I solved the problem for udp (it's a predefined port):
dissector_add_uint("udp.port", ENERGYWISE_UDP_DPORT, energywise_udp_handle);
but I dunno for tcp.


If it's a predefined port for TCP, do the same sort of thing, but using "tcp.port" and the predefined TCP port number 
and handle for the dissector for your protocol when it runs over TCP.

If it's not a predefined port, you'd have to, well, analyze the first bytes to know if it matches your protocol.  That 
means making your dissector a heuristic dissector, which:

        returns a gboolean value - TRUE if it matches, FALSE if it doesn't;

        as its first action, before doing *anything* to the protocol tree or the columns, checks whether the first 
bytes look as if the packet is for your protocol or not;

        before looking at any byte, makes sure it's available in the tvbuff you've been handed, e.g. with 
tvb_offset_exists() or tvb_bytes_exist();

        is registered with

                heur_dissector_add("tcp", dissect_energywise_tcp_heur, proto_energywise);

        where dissect_energywise_tcp_heur() is your heuristic dissector function and proto_energywise is the value 
returned by your proto_register_protocol() call.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

display filtering + how to analyze some TCP packets Teto (Oct 25)
- Re: display filtering + how to analyze some TCP packets Guy Harris (Oct 25)
  - Re: display filtering + how to analyze some TCP packets Teto (Oct 26)
    - Re: display filtering + how to analyze some TCP packets Guy Harris (Oct 27)
    - Re: display filtering + how to analyze some TCP packets Teto (Oct 28)