Wireshark-dev: Re: [Wireshark-dev] Developing a dissector for MODBUS-based protocol
From: "Barnes, Pat" <[email protected]>
Date: Tue, 24 Jun 2008 16:59:56 +1000
>From what I've found thus far, a heuristic dissector would be most
appropriate type.
This code below:
...
void proto_register_foo(void) {
	if (proto_foo == -1) {
		proto_foo = proto_register_protocol ( "FooBar Protocol",
"FooBar", "foo");
	}
}
static gboolean dissect_foo_heur(tvbuff_t *tvb, packet_info *pinfo,
proto_tree *parent_tree)
{
	return FALSE;
}
void proto_reg_handoff_foo(void) {
	static gboolean initialized = FALSE;
	if (!initialized) {
		heur_dissector_add("mbtcp", dissect_foo_heur,
proto_foo);
		initialized = TRUE;
	}
}
...
Should just load without causing errors, and not recognise any packets
(yet). The heuristic dissector is added to "mbtcp" - because it's a
particular subset of the modbus/tcp protocol.

It builds without problems, but crashes Wireshark! (btw, where would a
relevant log file be found?)
If I change "mbtcp" to just "tcp", there are no errors. (but I want to
have the dissector sit under mbtcp so that I can access the mbtcp
fields)

What is happening? 

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Barnes, Pat
Sent: Tuesday, 24 June 2008 10:06 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Developing a dissector for MODBUS-based
protocol

Thanks for your advice - I hadn't seen the doc/ folder in the source
tree.

I've managed to get the dev environment up and running in windows
(VC2005) ... Although the 1.0.0 release wouldn't build due to a flex bug
(2493), r25469 is working fine thus far.

I don't think modifying the existing modbus dissector is the answer -
there will be *real* modbus traffic on the network as well.

It would be ideal if the modbus dissector could do its analysis first,
and our 'mbrpc' dissector would run afterwards if
(modbus_tcp.func_code==23&&modbus_tcp.write_addr>0x1000) is satisfied,
further interpreting the packet.

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Stephen Fisher
Sent: Tuesday, 24 June 2008 9:41 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Developing a dissector for MODBUS-based
protocol

On Mon, Jun 23, 2008 at 06:12:59PM +1000, Barnes, Pat wrote:

> The current modbus dissector is not suitable - it does not show the 
> data anywhere but in the raw output. I need to provide for example, 
> the name of the function in the packet summary, and the value of each 
> parameter by name in the detailed view.
> 
> My question is should I create the dissector as one that replaces 
> mbtcp (the modbus dissector), or as one that sits underneath mbtcp and

> re-processes (and relabels) those modbus packets that it recognises?

Can you extend the current modbus dissector to interpret the data you
need to see?

> Of course, I'm not really sure how to accomplish this second task, or 
> even really the first one. (I've read through 
> http://www.codeproject.com/KB/IP/custom_dissector.aspx and 
> http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html, and

> have started 'tinkering' thus far)

Make sure to read doc/README.developer too.  Check out the latest source
code from the SVN repository and set up your development environment.  
Are you going to be programming on Windows or Unix?  
http://www.wireshark.org/docs/wsdg_html_chunked/ChapterSetup.html should
help you get going with the dev environment (if you don't already have
one set up), but is mainly focused on Windows.


Steve
_______________________________________________
Wireshark-dev mailing list
[email protected]
https://wireshark.org/mailman/listinfo/wireshark-dev



DISCLAIMER:-------------------------------------------------------------
--------------
This e-mail transmission and any documents, files and previous e-mail
messages attached to it are private and confidential. They may contain
proprietary or copyright material or information that is subject to
legal professional privilege. They are for the use of the intended
recipient only.  Any unauthorised viewing, use, disclosure, copying,
alteration, storage or distribution of, or reliance on, this message is
strictly prohibited. No part may be reproduced, adapted or transmitted
without the written permission of the owner. If you have received this
transmission in error, or are not an authorised recipient, please
immediately notify the sender by return email, delete this message and
all copies from your e-mail system, and destroy any printed copies.
Receipt by anyone other than the intended recipient should not be deemed
a waiver of any privilege or protection. Thales Australia does not
warrant or represent that this e-mail or any documents, files and
previous e-mail messages attached are error or virus free.
------------------------------------------------------------------------
--------------

_______________________________________________
Wireshark-dev mailing list
[email protected]
https://wireshark.org/mailman/listinfo/wireshark-dev



DISCLAIMER:---------------------------------------------------------------------------
This e-mail transmission and any documents, files and previous e-mail messages
attached to it are private and confidential. They may contain proprietary or copyright
material or information that is subject to legal professional privilege. They are for
the use of the intended recipient only.  Any unauthorised viewing, use, disclosure,
copying, alteration, storage or distribution of, or reliance on, this message is
strictly prohibited. No part may be reproduced, adapted or transmitted without the
written permission of the owner. If you have received this transmission in error, or
are not an authorised recipient, please immediately notify the sender by return email,
delete this message and all copies from your e-mail system, and destroy any printed
copies. Receipt by anyone other than the intended recipient should not be deemed a
waiver of any privilege or protection. Thales Australia does not warrant or represent
that this e-mail or any documents, files and previous e-mail messages attached are
error or virus free.
--------------------------------------------------------------------------------------