Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] How to register the plugins

Date: Wed, 16 Jul 2008 12:25:48 +0530

It is a connection oriented message with CODT type



I have commented the heur_dissect_add line in both the plugin and using only dissector_add to register the plugins.





Now it is not dissecting the data portion either as xxx or yyy.

It just displays as data shown below.





SS7 SCCP-User Adaptation Layer

    Version: Release 1 (1)

    Reserved: 00

    Message Class: Connection-Oriented messages (8)

    Message Type: Connection Oriented Data Transfer (CODT) (8)

    Message Length: 64

    Sequence number

    Network appearance (3)

    Destination reference number (6302348)

    Data (SS7 message of 27 bytes)

    Data (27 bytes)

        Data: 00070084000184008E010002000092008000010002000100...



If I use heur_dissector_add function in any of the plugin then data which ever comes in SS7 message is taken as that particular plugin, even when the packet contains the data of other plugin.



If I use the heur_dissector_add in both plugins then it first dissects yyy and the data above it is dissected as xxx.



I couldn't understand how bssap packet of same format (CODT) could able to dissect without SSN no. but the one which I wrote couldn't dissect them properly.



Looking forward for suggestions,



Regards,

Atdev.


________________________________

From: wireshark-dev-bounces@xxxxxxxxxxxxx on behalf of Luis EG Ontanon
Sent: Tue 7/15/2008 7:36 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] How to register the plugins



Does it use Connection Oriented or Connection Less?

SCCP and SUA carry the SSN number only in the CC message. So, In order
to know which subdissector to use for CO messages other than CC
SCCP/SUA mantains a table of connections, this is disabled by default
(try enabling "Trace Associations" in SCCP preferences). That has been
tested with SCCP,  the implementation in SUA has not being thoroughly
tested due to lack of capture files.


If you can send a capture file we might see what's going with SUA's
connection tracking

(cut the capture just after the SUA header)


On Tue, Jul 15, 2008 at 2:27 PM,  <atdev.queries@xxxxxxxxx> wrote:
> Hi
>
> It was my mistake, they are 90 and 91 only not 91 and 92 as stated first.
>
> Regards,
> Chandra.
>
> ________________________________
>
> From: wireshark-dev-bounces@xxxxxxxxxxxxx on behalf of Abhik Sarkar
> Sent: Tue 7/15/2008 5:41 PM
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] How to register the plugins
>
>
>
> You said initially that the SSN's are 91 and 92, but you are
> subsequently using 90 and 91 during registration... Not sure if that
> is correct. If it isn't then XXX messages should be dissected as YYY
> messages.
>
> Also, you might want to not register the heuristic dissector and try.
>
> HTH
> Abhik.
>
> On Tue, Jul 15, 2008 at 3:39 PM,  <atdev.queries@xxxxxxxxx> wrote:
>> Hi all,
>>
>>
>>
>> I wrote two plugins which run on sua layer. The plugins are xxx and yyy and
>> their subsystem no. are 91 and 92 respectively.
>>
>>
>>
>> Now I registered the two protocols as
>>
>>
>>
>> For XXX plugin:
>>
>>
>>
>> static guint global_xxx_ssn = 90;
>>
>>
>>
>> Void proto_reg_handoff_xxx(void)
>>
>> {
>>
>>                    static dissector_handle_t xxx_handle;
>>
>> heur_dissector_add("sua", dissect_xxx,  proto_xxx);
>>
>> xxx_handle = create_dissector_handle(dissect_xxx, proto_xxx);
>>
>> dissector_add("sccp.ssn", global_xxx_ssn, xxx_handle);
>>
>>
>>
>> }
>>
>>
>>
>> For YYY plugin:
>>
>>
>>
>> static guint global_yyy_ssn = 91;
>>
>>
>>
>> Void proto_reg_handoff_yyy(void)
>>
>> {
>>
>>                    static dissector_handle_t yyy_handle;
>>
>> heur_dissector_add("sua", dissect_yyy, proto_yyy);
>>
>> yyy_handle = create_dissector_handle(dissect_yyy, proto_yyy);
>>
>> dissector_add("sccp.ssn", global_yyy_ssn,  yyy_handle);
>>
>>
>>
>> }
>>
>>
>>
>> Now the problem is the data what ever comes above sua layer is dissected as
>> yyy protocol.
>>
>> The data which comes after yyy protocol is dissected as xxx protocol.
>>
>> But both the plugins should run on sua layer and depending on subsystem no.
>> they have to be differentiated.
>>
>>
>>
>> Can any one please suggest me how to register the plugins properly so that
>> then can be dissected properly on sua layer?
>>
>>
>>
>> Thanks in advance,
>>
>> Atdev.
>>
>> Please do not print this email unless it is absolutely necessary.
>>
>> The information contained in this electronic message and any attachments to
>> this message are intended for the exclusive use of the addressee(s) and may
>> contain proprietary, confidential or privileged information. If you are not
>> the intended recipient, you should not disseminate, distribute or copy this
>> e-mail. Please notify the sender immediately and destroy all copies of this
>> message and any attachments.
>>
>> WARNING: Computer viruses can be transmitted via email. The recipient should
>> check this email and any attachments for the presence of viruses. The
>> company accepts no liability for any damage caused by any virus transmitted
>> by this email.
>>
>> www.wipro.com
>>
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-dev
>>
>>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
>
>
>
> Please do not print this email unless it is absolutely necessary.
>
> The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
>
> WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
>
> www.wipro.com
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
>
>



--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev



Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

www.wipro.com

<<winmail.dat>>