Wireshark-dev: Re: [Wireshark-dev] invoking tcp sub-dissectors from a custom dissector
From: "Ravi Kondamuru" <[email protected]>
Date: Sat, 16 Jun 2007 22:20:34 -0700
 
Thanks Steve. Your approached helped me in getting to invoke the http dissector. However, the entire tcp conversation is also being dissected as http. I just want the first request-response packets to be interpreted as http and not the rest. Is there a way to choose the packets in the trace that can be dissected as http and not the entire conversation.
 
Below are the first 3 packets from the trace. I would like to not treat the packets from the 3rd as HTTP. Thats where the custom protocol data is.
 
Frame 151 (156 bytes on wire, 156 bytes captured)
Ethernet II, Src: Ibm_ae:9c:f5 (00:11:25:ae:9c:f5), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01)
Internet Protocol, Src: 10.216.132.102 (10.216.132.102), Dst: 10.102.32.56 (10.102.32.56)
Transmission Control Protocol, Src Port: 3560 (3560), Dst Port: http (80), Seq: 1, Ack: 1, Len: 102
Hypertext Transfer Protocol
    GET /test.pl HTTP/1.1\r\n
    \r\n
 
Frame 162 (198 bytes on wire, 198 bytes captured)
Ethernet II, Src: Cisco_23:1a:c0 (00:15:c7:23:1a:c0), Dst: Ibm_ae:9c:f5 (00:11:25:ae:9c:f5)
Internet Protocol, Src: 10.102.32.56 (10.102.32.56), Dst: 10.216.132.102 (10.216.132.102)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3560 (3560), Seq: 1, Ack: 103, Len: 144
Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
    Content-Type: text/html\r\n
    Cache-control: no-cache\r\n
    Pragma: no-cache\r\n
    Content-Length: 0\r\n
    \r\n
 
Frame 746 (134 bytes on wire, 134 bytes captured)
Ethernet II, Src: Ibm_ae:9c:f5 (00:11:25:ae:9c:f5), Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01)
Internet Protocol, Src: 10.216.132.102 (10.216.132.102), Dst: 10.102.32.56 (10.102.32.56)
Transmission Control Protocol, Src Port: 3560 (3560), Dst Port: http (80), Seq: 103, Ack: 145, Len: 80
Hypertext Transfer Protocol
    Data (80 bytes)
 
thanks,
Ravi.
 
From: Stephen Fisher <[email protected]>
Date: Sat, 16 Jun 2007 18:16:04 -0700
 
On Sat, Jun 16, 2007 at 05:34:08PM -0700, Ravi Kondamuru wrote:

> I am implementing a tcp based custom protocol dissector. Each tcp
> conversation starts with a http request-response followed by a series
> of custom protocol data exchanges. I have been able to implement
> dissecting the custom protocol, however for the initial request/
> response, I am not able to figure out how to call the tcp
> sub-dissectors to take care of dissecting it. I have some rudimentary
> mechanism to identify if it is a http packet or a custom data packet.

Try looking at the http_payload_subdissector function in
epan/dissectors/packet-http.c to see how it calls the tcp sub-dissectors
based on the destination port number of a "CONNECT <hostname>:<port>"
request seen in the HTTP part of the conversation.  Specifically look at
this call:

dissect_tcp_payload(next_tvb, pinfo, 0, tcpinfo->seq, /* 0 = offset */
    tcpinfo->nxtseq, dissect_as,
    pinfo->destport, tree, tree, tcpd);

Let us know if you need further assistance.


Steve