Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] heuristic Dissector for Dummies

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Mon, 1 Sep 2008 10:56:06 -0400

For example, which lines of code do I need to explain wireshark to check these 4 conditions:

Tom,

How about something like this:

 

static gboolean dissect_PROTOABBREV(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)

{

...


1) first byte must be 0x42

if ( tvb_get_guint8(tvb, 0) != 0x42 )

    return (FALSE);


2) second byte is a type field and only can contain values between 0x20-0x33

if ( tvb_get_guint8(tvb, 1) < 0x20 || tvb_get_guint8(tvb, 1) > 0x33 )

    return (FALSE);

 

3) third byte is a flag field, where the lower 4 bits always contain the value 0

if ( tvb_get_guint8(tvb, 2) & 0x0f )

    return (FALSE);


4) fourth and fifth bytes contains a 16 length field, where the value can't be longer than 10000 bytes
/* Assumes network byte order */

if ( tvb_get_ntohs(tvb, 3) > 10000 )

    return (FALSE);

 

/* Assume it’s your packet and do dissection */

 

return (TRUE);

}

 

And don’t forget to register as a heuristic dissector, at least in the case of udp and tcp.  For ip, you can’t simply register as a heuristic dissector though.  For one thing, the ip header contains a protocol field, which determines the next dissector to be called.  So, if you have a protocol with a unique IP protocol ID, then you can register with that ID as I’ve shown below.  If that’s the case, then you should probably also change dissect_PROTOABBREV to return int instead of gboolean since the dissector will be a dual heuristic/normal dissector.  If heuristics fail, still return 0, but if heuristics succeed, then return the number of bytes dissected by your protocol rather than simply returning TRUE.

 

void

proto_reg_handoff_PROTOABBREV(void)

{

    static int PROTOABBREV_inited = FALSE;

    dissector_handle_t PROTOABBREV_handle;

 

    if ( !PROTOABBREV_inited )

    {

        heur_dissector_add("udp", dissect_PROTOABBREV, proto_PROTOABBREV);

        heur_dissector_add("tcp", dissect_PROTOABBREV, proto_PROTOABBREV);

        PROTOABBREV_handle = new_create_dissector_handle(dissect_PROTOABBREV, proto_PROTOABBREV);

        dissector_add("ip.proto", IP_PROTO_PROTOABBREV, PROTOABBREV_handle);

        PROTOABBREV_inited = TRUE;

    }

}

 

Good luck.

- Chris

 


From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Tom Stevens
Sent: Saturday, August 30, 2008 7:00 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] heuristic Dissector for Dummies

 

Thank you very much for your great explanation. Something i had known before, but thanks anyway.
Particularly the Point " How do these heuristics work?" and your given example should be very useful for anybody who wants to know how a heuristic dissector work.

My Problem is, that i have to write an heuristic dissector by my own. Hence,I need code snippets or something else, that will show me how to put my ideas (searching patterns) down on paper (C - source code ).

For example, which lines of code do I need to explain wireshark to check these 4 conditions:

1) first byte must be 0x42
2) second byte is a type field and only can contain values between 0x20
- 0x33
3) third byte is a flag field, where the lower 4 bits always contain the
value 0
4) fourth and fifth bytes contains a 16 length field, where the value
can't be longer than 10000 bytes

My Protocol should work independently from the underlying (i hope this is the right word) Protocol respectively port numbers.
look at the picture to see what i mean: http://farm4.static.flickr.com/3185/2802328059_ed78644686_o.png

Hope you could help me, greetings Tom (Germany)


[snip]

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.