Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: Re: [Wireshark-dev] X11/GLX dissector

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 07 Aug 2006 09:59:21 -0700

Max Lapan wrote:
The best way to do it, in theory, would be to have the X11 dissector export a dissector table for extensions. 

Sorry, I'm new to wireshark internal interfaces, so, maybe, asking
newbie question. Did I guess right that to force heur_dissector_add()
to work, parent dissector must call register_dissector_table() at the
dissector registration stage and dissector_try_heruistic() during the
analisys stage?


No.
If you have a dissector for a protocol that's associated with a particular numerical value of a particular field in the parent protocol (e.g., a particular value of the Ethernet type field), the parent dissector would call register_dissector_table() in its registration routine to create the dissector table, the child dissector would call dissector_add() on that table in its handoff registration routine, and the parent dissector would call dissector_try_port() during the analysis stage. 

There are similar routines for string values.
If you have a dissector for a protocol that can't be associated with particular values in the calling protocol, so you would have to look at the contents of the packet to try to guess what protocol it's for, that's a heuristic dissector. For those, the parent dissector would call register_heur_dissector_list() in its registration routine to create the heuristic dissector table, the child dissector would call heur_dissector_add() on that table in its handoff registration routine, and the parent dissector would call dissector_try_heuristic() during the analysis stage. 


Yes, you're absolutely right. I didn't thought about that. Major
opcode returned by XQueryExtension is a dynamic value and depends from
load order of X11 server extension modules.

So, there is no solution 'in general'. But X11 dissector maintains
extensions table (which built according XQueryExtions replies).  Is
there standard way in Wireshark to 'publish' such table from dissector
module to others?

As you've noted, X11 extensions have more or less standard names, so
my module can query X11 dissector for GLX major_opcode value.
Probably the best way to do this would be to register extension dissectors using the extension *name*, and, for an X request with a request code >= 128, attempt to look up the request code in the extensions table and, if it finds the extension name, call dissector_try_string() with the extension name.
  • Follow-Ups:
    • Re: [Wireshark-dev] X11/GLX dissector
      • From: Max Lapan
  • References:
    • [Wireshark-dev] X11/GLX dissector
      • From: Max Lapan
    • Re: [Wireshark-dev] X11/GLX dissector
      • From: Guy Harris
    • Re: [Wireshark-dev] X11/GLX dissector
      • From: Max Lapan
  • Prev by Date: Re: [Wireshark-dev] X11/GLX dissector
  • Next by Date: Re: [Wireshark-dev] [Ethereal-dev] Plans to support 802.11n
  • Previous by thread: Re: [Wireshark-dev] X11/GLX dissector
  • Next by thread: Re: [Wireshark-dev] X11/GLX dissector
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation