Wireshark-dev: Re: [Wireshark-dev] a query
From: Guy Harris <[email protected]>
Date: Wed, 13 Dec 2006 11:19:23 -0800
vanita disale wrote:

We need to implement HSRPv2 protocol.
Currently ethereal supports HSRPv1 ( packet-hsrp.c).
The problem is HSRPv1 acts on a different multicast address and HSRPv2 acts on a different multicast address. Hence HSRPv2 can not be made a part of the packet-hsrp.c.
Yes, it can.

The problem is that the packets have a different format, so the code in packet-hsrp.c that dissects HSRPv1 packets can't dissect HSRPv2 packets. However, you could put the code to dissect HSRPv2 packets in the same file as the code that dissects HSRPv2 packets.
So how to direct ethereal to give the packets that it captures on the multicast address for HSRPv2 to give to our HSRPv2 dissector? I dont know how ethereal is made to give the packets to application based on the ip address.
It *isn't* made to do that.

Becos it runs in promiscous mode it will just capture every packet that comes its way.
1) Wireshark doesn't *have* to run in promiscuous mode.

2) You can use a capture filter.

But the real problem is that we need to make it give the packets to HSRPv2 protocol whenever it receives the packets directed to the multicast address for HSRPv2)
Are the packets for HSRPv2 sent to a particular UDP port number? 
According to RFC 2281, packets for HSRPv1 are sent to port 1985; the 
HSRPv1 dissector registers for that port, so traffic to port 1985 is 
given to that dissector *regardless of the IP address to which it's 
being sent*.
I.e., the packets are *NOT* given to the HSRPv1 dissector based on the 
IP address.  They're given to the HSRPv2 dissector based on the *UDP 
port number*.
If HSRPv2 works the same way, then the HSRPv2 dissector can do the same 
(By the way, it's now called Wireshark, not Ethereal.)

(Also, by the way, as was noted in a reply by Anders Broman in another thread:

capture and dissection are not connected - just because Wireshark has captured several different types of packets, that doesn't mean it can't dissect each of those packet types correctly.)