Dear All,
I am new to wireshark and I am trying to write a
dissector plugin for the freepastry binary protocol.
This protocol runs on top of TCP and, for some reason,
I need to keep a context for the TCP streams.
Indeed, FreePastry requires a specific header to be
sent over a newly established TCP connection
The pastry Stream header looks like this:
Pastry_magic_number (4 bytes)
...
AppId (4bytes)
If Pastry_magic_number =! 0x2740753A, I know that this
socket is not related to freepastry
If AppId != 0, I know that the stream is related to a
tier 2 application that reused the freepastry socket
management facilies (I.e. I won't be able to dissect
the stream because it is application specific)
Then, the freepastry application stream is broken up
into "normal" messages (payload-len + payload)
Here is my problem:
I tried to use conversation_add_proto_data(...) to
save information about appId
typedef struct _freepastry_conv_info_t {
gboolean app_conv;
} freepastry_conv_info_t;
I first wanted to create a new conversation, but I
noticed that a conversation was already created by
wireshark (i.e. find_conversation(pinfo->fd->num,
&pinfo->src, &pinfo->dst, pinfo->ptype,
pinfo->srcport, pinfo->destport, 0) never returns a
NULL pointer)
Is it normal?
Next, when I save private data with
conversation_add_proto_data for the current
conversation, I notice that the tree information
related to freepastry for this message is not
displayed.
Here is the code I wrote to save context:
/* Do we already have a state structure for this
conv*/
freepastry_info =
conversation_get_proto_data(conversation,
proto_freepastry);
if (!freepastry_info) {
gboolean is_app_socket = FALSE;
/* No. Attach that information to the
conversation, and add
* it to the list of information structures.
*/
freepastry_info =
se_alloc(sizeof(freepastry_conv_info_t));
if (app_id != 0x0){
is_app_socket = TRUE;
}
freepastry_info->app_conv = is_app_socket;
conversation_add_proto_data(conversation,
proto_freepastry, freepastry_info);
}
Here is the code I wrote to display message structure:
if (tree) {
proto_item *ti = NULL;
proto_tree *freepastry_tree = NULL;
gint offset = 0;
ti = proto_tree_add_item(tree, proto_freepastry,
tvb, 0, -1, FALSE);
freepastry_tree = proto_item_add_subtree(ti,
ett_freepastry);
proto_tree_add_item(freepastry_tree,
hf_freepastry_header_magic_number, tvb, offset, 4,
FALSE);
offset += 4;
...
}
When I comment out the line
conversation_add_proto_data(conversation,
proto_freepastry, freepastry_info); the protocol tree
for freepastry is correctly displayed.
Do you have any idea where the problem is? Have I
understood correctly the use of
conversation_add_proto_data()? Is there a better way
to do this?
Thanks,
David
____________________________________________________________________________________
Sucker-punch spam with award-winning protection.
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html
