ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: Re: [Ethereal-dev] dissector newbie needs some guidence..

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Guy Harris" <gharris@xxxxxxxxx>
Date: Tue, 10 Aug 2004 17:32:41 -0700 (PDT)
Kelly Byrd said:
> DAAP uses HTTP as a transport (on port 3689), the body of the
> requests and repsonses are not plain text, but a simple tagged
> format: 4 char tagname, followed by a 4 bytes length, then "length"
> bytes of data. Some tags are containers, whose data portion is other
> tags of the same format. DAAP messages will span segments, and
> responses are often gzip encoded. There's a few specs around, and I'm
> comfortable with code that deals with the format.
>
> How should I register my dissector? I looked at packet-ipp, which
> registers as a sub-dissector of http. I also looked at packet-text-media
> which appears to  be a system of registering dissectors as mime types,
> like packet-gif (the content-type header for DAAP is application
> /x-dmap-tagged).

packet-text-media.c *uses* the system for registering dissectors as media
types; it doesn't *implement* that system.  The system is implemented in
packet-http.c and in other dissectors using its "media_type" dissector
table.

> Which  do I use?  What are the advantages of each method,

Advantage of registering by media type:

    You get called regardless of the port the traffic is using, so you're
not tied to specific port numbers.

    You get called by *any* dissector that supports the "media_type"
dissector table - the HTTP dissector isn't the only one that uses it.

Disadvantages of registering by media type:

    If the protocol doesn't use a port number for which a dissector using
the "media_type" dissector table is called, your dissector won't get
called, either.

It looks as if DAAP should register by port number rather than media type,
as it doesn't use a standard HTTP port number, but *does* have a port
number it uses, and doesn't use anything other than HTTP as a transport.

> When I  register as a http sub-dissector, where is the tvbuff passed to
me pointing, at the start
> of the body?

Yes.

> Is there any way to get the URL used for a request message
> (I may not need it, so it's not a deal-breaker, if one method doesn't
> allow it).

No.  The HTTP dissector could be modified to supply that *if* it's necessary.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube