ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Question concerning some specific protocol...

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Tobias Erichsen" <erichsen@xxxxxxxxxxxxx>
Date: Sat, 30 Sep 2006 21:48:46 +0200
The problem is that the port is not fix - the protocol(s) may run on
any ports.

Are protocols that are recognized automatically by Wireshark always
recognized by the port, not be the content of the datagrams?

I know that I can go on a sniffed packet and say "decode as" selecting
the protocol manually, but it would be cool to let wireshark/my protocol
plugin find it out automatically if it finds any packets that are
encoded according to the proprietary protocol and as soon as this fact
ist established, all packets for this udp-port-tuple will be decoded
by my plugin, even though some of the packets won't match the proprietary
signature (in this case I would know that it is RTP-data and decode accordingly)

Tobias 

> -----Ursprüngliche Nachricht-----
> Von: wireshark-dev-bounces@xxxxxxxxxxxxx 
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] Im Auftrag von 
> Jaap Keuter
> Gesendet: Samstag, 30. September 2006 17:53
> An: Developer support list for Wireshark
> Betreff: Re: [Wireshark-dev] Question concerning some 
> specific protocol... [heur]
> 
> Hi,
> 
> Well that is simple then. Register your proprietary dissector 
> for the UDP port. If it's your protocol dissect it, otherwise 
> hand it over to the RTP dissector.
> 
> Thanx,
> Jaap
> 
> On Sat, 30 Sep 2006, Tobias Erichsen wrote:
> 
> > Hi everyone,
> >
> > I have used Ethereal/Wireshark for some time now, and I 
> would like to 
> > contribute by developing a protocol-plugin for a combination of a 
> > proprietary and an open protocol based on RTP...
> >
> > Both protocols run on the sample UDP port-pair tuple. The 
> proprietary 
> > protocol can be detected very easy, as it has an easy to 
> distinguish 
> > signature.  The RTP-based part is not, as RTP has really no good 
> > recognition value.
> >
> > So how would I design such a dissector, that if I detect 
> the easy-to- 
> > recognize proprietary protocol on a UDP-port-tuple, that I 
> could then 
> > heuristically see that the other datagrams will be the 
> RTP-based ones 
> > and hand their decoding appropriate (writing again my own dissector 
> > for this specific RTP payload type)
> >
> > Best regards,
> > Tobias
> >
> > PS.: I will be developing & testing the stuff on Windows-platform, 
> > cause that's what I'm most familiar with ;-)
> >
> 
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube