Wireshark-dev: Re: [Wireshark-dev] Plugin module dissctor fails assertion

From: Johannes Bauer <dfnsonfsduifb@xxxxxx>
Date: Thu, 05 Feb 2009 17:18:44 +0100

Jeff Morriss schrieb:

>> dissector_add("usb.bulk", 0x1, sbig_handle);
>>
>> it just does not recognize bulk trasnfers as the SBIG protocol. How do I
>> then use the dissector_add command to achieve what I want?
> 
> Does the USB field "bInterfaceClass" (which appears to be the field that
> corresponds to the value used by the "usb.bulk" dissector table) have a
> value of 1 in the packets you have?  According to packet-usb.h that
> would be for an audio device.

Oh, alright - no it doesn't. It had 0xffff there. If I change my code to
use 0xffff, it works.

One question, though: How did you find out that bInterfaceClass
corresponds to the usb.bulk table? I've poked around some in the
sourcecode of wireshark, but did not find that reference.

All in all, that bInterfaceClass is quite mysterious to me anyways
because it does not appear to be a "real" field in the sense of it is
not part of the dump. Even if I create an empty packet with all fields
set to 0 (except for the URB type and URB transfer type fields), the
bInterfaceClass is 0xffff. I do not know where wireshark processes that.

> Another possibility is that another dissector/plugin is also trying to
> claim packets with "usb.bulk" set to 1.  That's not the case in the SVN
> tree, though: only values of 8 are taken by the usb-massstorage dissector.

Oh, okay. That seems pretty coarse, however. What if two dissectors
claim traffic to USB packets of type MISC, one is for a certain device A
 and another for a device B - how can that be achieved when the devices
are different in e.g. the bus ID?

Thanks a lot, Jeff!
Kind regards,
Johannes