Wireshark-dev: Re: [Wireshark-dev] newbie question about dissecting protocol with many message subtypes

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 02 Sep 2006 14:28:47 -0700

Andrew Schweitzer wrote:

Should I use field arrays? That seems like an awful lot of fields (100 * about 10) to add to the protocol's field list.

Does each of the 100 packet types have fields that appear in no other packet type? If so, then, yes, that's a lot of fields, but that's how we do it in other protocols.

Can you add a field list to a subtree?

What do you mean by "field array" and "field list"? Are we talking about each packet type having about 10 *different* fields, or 10 instances of the *same* field, e.g. a protocol with a request to get a list of IP addresses from the other machine and a reply containing the IP addresses wouldn't have "proto.reply.ip_addr_1", "proto.reply.ip_addr_2", "proto.reply.ip_addr_3", etc. fields, it'd just have several instances of "proto.reply.ip_addr".

I see that NBNS defines multiple protocols.

No, NBNS is one protocol, not multiple protocols.

The file named "packet-nbns.c" contains dissectors for multiple protocols, but that's for historical reasons, as the comment at the beginning of the file says; one could argue that there should be "packet-nbns.c" with the NBNS dissector, "packet-nbds.c" with the NBDS dissector, and "packet-nbss.c" with the NBSS dissector. Those are three different protocols, even though they're all defined by the same RFCs (1001 and 1002).

Should I define a different protocol for each message type?

No.  You said "*a* proprietary protocol", so it's just one protocol.

That also seems excessive.

Not only would it be excessive, it would be the wrong thing to do.