Wireshark mailing list archives
Re: display filtering + how to analyze some TCP packets
From: Teto <mattator () gmail com>
Date: Wed, 26 Oct 2011 12:14:19 +0200
On Tue, Oct 25, 2011 at 6:37 PM, Guy Harris <guy () alum mit edu> wrote:
What is it you're trying to do here?
This was just a personal design concern. The protocol I dissect is TLV based. For each type, I had assigned a function pointer pointing taking as argument a proto_item to which it could append_text. (everything was proto_tree_add_text based). But as I wanted to setup display filter, I understood my design was flawed. Well I modified it and managed it to filter my display \o/
If it's a predefined port for TCP, do the same sort of thing, but using "tcp.port" and the predefined TCP port number and handle for the dissector for your protocol when it runs over TCP.
In fact there is one predefined port for udp and tcp but they can be changed to some arbitrary port.
If it's not a predefined port, you'd have to, well, analyze the first bytes to know if it matches your protocol.
Right now I analyze the first 2 bytes to check if it's equal to 0x0002 but I am not sure it's the right check (protocol specs are unavailable). If 2 dissectors match the bytes, what may happen ?
That means making your dissector a heuristic dissector, which: returns a gboolean value - TRUE if it matches, FALSE if it doesn't; as its first action, before doing *anything* to the protocol tree or the columns, checks whether the first bytes look as if the packet is for your protocol or not;
Ok it works \o/ Once I recognize the packet matches my protocol, shoulddissect_energywise_tcp_heur further analyze the packet or immediately returns true and wireshark would give the packet to some other dissector ? Btw, I Had an assert DISSECTOR_ASSERT_NOT_REACHED(), hopefully I looked at the code before asking you and the comment next to assert was "/* This part is not implemented yet */". Is it not possible to do a DISSECTOR_ASSERT_NOT_REACHED("This part is not implemented yet"). ? Thanks to your advice I managed to achieve 2 things I really wanted to. Next task is to create a conversation. I will try myself and may go back to the list if I don't succed. Once more thank you Matt ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- display filtering + how to analyze some TCP packets Teto (Oct 25)
- Re: display filtering + how to analyze some TCP packets Guy Harris (Oct 25)
- Re: display filtering + how to analyze some TCP packets Teto (Oct 26)
- Re: display filtering + how to analyze some TCP packets Guy Harris (Oct 27)
- Re: display filtering + how to analyze some TCP packets Teto (Oct 28)
- Re: display filtering + how to analyze some TCP packets Teto (Oct 26)
- Re: display filtering + how to analyze some TCP packets Guy Harris (Oct 25)