Wireshark

  • Riverbed Technology
  • WinPcap
SHARKFEST '12 - Wireshark Developer and User Conference - June 24-27, 2012 - UC Berkeley, Clark Kerr Campus
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: Re: [Wireshark-dev] [Wiresharkl-dev] Adding a dissector for "Analyze->Decode As" only

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: "Bryan Miller" <millerb@xxxxxxx>
Date: Mon, 30 Apr 2007 16:33:45 -0600

Title: Message
> From: Guy Harris <guy@xxxxxxxxxxxx>
> Date: Fri, 16 Feb 2007 16:03:41 -0800
>
> On Feb 16, 2007, at 3:28 PM, Ravi Kondamuru wrote:
>

I am trying to write a dissector for a non-standard rpc protocol.
Writing a heuristic to automatically identify the protocol is getting too complicated. So, I was wondering if I could add a dissector that can be used when I select a connection and explictly say Decode As. 
Is it possible to do that?



 


 


If your protocol runs directly on top of UDP or TCP, yes. (If it runs
on top of some other RPC protocol - i.e., if by "rpc protocol" 



you mean a protocol that is implemented using some RPC
mechanism such as ONC RPC or DCE RPC - then, no, you can't, and you
*shouldn't*; there's already a mechanism for registering dissectors for
ONC RPC-based and DCE RPC-based protocols.) 


 


If it is, any pointers to notes on how can it be done?



 


 


If your protocol runs on top of UDP, so that you'd want to use "Decode
As" to indicate that a particular UDP port should be used for your
protocol, then call 
	dissector_add_handle("udp.port", {the handle for your dissector});


If your protocol runs on top of TCP, so that you'd want to use "Decode
As" to indicate that a particular TCP port should be used for your
protocol, then call 
	dissector_add_handle("tcp.port", {the handle for your dissector});






---


(Please excuse the email format. 
I am cut-n-pasting to a PDA)


Is it possible to add both TCP and UDP
handles to a dissector?  I have succesfully built an RPC
based dissector but it is only called for TCP packets.  UDP packets go
undissected.


In my proto_reg_handoff I call the
canonical rpc_init_prog() and rpc_init_proc_table which appear to default to the
rpc_tcp_handle.


 




    

  • Prev by Date:
Re: [Wireshark-dev] Patch Netflow v9 to decode Netflow options, and other fixes

    • 

  • Previous by thread:
Re: [Wireshark-dev] Patch Netflow v9 to decode Netflow options, and other fixes

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    • 


















Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation