Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] How to register a dissector for a specific traffic type?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 20 Nov 2007 13:06:58 -0800
Yves Geissb�hler wrote:

I have several protocols running on top of each other: TCP > MPA (RFC 5044) > [DDP (RFC 5042) | RDMAP (RFC 5040)].

Currently, I am calling my DDP/RDMAP dissector as a subdissector from my MPA dissector. Because my DDP/RDMAP dissector could also be used on top of SCTP (replacing TCP and MPA) calling it as a subdissector from my MPA dissector does not seem to be the right solution anymore. It would make more sense if my DDP/RDMAP dissector would get called whenever there is MPA or SCTP traffic. So I would like to register my DDP/RDMAP dissector for these to types of traffic.

I don't think you want to have your dissector be the *only* dissector for the payload of SCTP traffic - that'd prevent the dissection of any other protocol atop SCTP.

Therefore, there needs to be some way to arrange that only *some* SCTP traffic be treated as DDP traffic.

There are a couple of ways of doing that:

1) have your dissector register with the SCTP dissector to be called for particular SCTP port or PPI values (if there's a fixed value, use that, otherwise make the value a preference);

	2) have your dissector be a heuristic dissector.

In which manner do I have to return (in the proto_reg_handoff_mpa()?) from my MPA dissector such that a call to heur_dissector_add("mpa", dissect_ddp_rdmap, proto_ddp_rdmap) in my DDP/RDMAP dissector would work?

If this is DDP over SCTP, with no MPA involved (MPA appears to exist because TCP is byte-stream-oriented rather than packet-oriented; SCTP is packet-oriented so that's not an issue), the MPA dissector wouldn't be involved at all.

If the DDP dissector registers for a specific SCTP port or PPI, you would call

	dissector_add("sctp.port", {port number}, {handle for DDP dissector});

or

	dissector_add("sctp.ppi", {PPI number}, {handle for DDP dissector});

in proto_reg_handoff_ddp().

If the DDP dissector is heuristic - which I infer from "such that a call to heur_dissector_add("mpa", dissect_ddp_rdmap, proto_ddp_rdmap) in my DDP/RDMAP dissector would work?" that it is - you would call

	heur_dissector_add("sctp", dissect_ddp_rdmap, proto_ddp_rdmap);

in proto_reg_handoff_ddp().