Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Best practice for dissecting modular protocol

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jan Gerbecks <jan.gerbecks@xxxxxxxxxxxxxxx>
Date: Fri, 18 Dec 2009 11:21:34 +0100
Thanks Steve,

the CDP dissector looks very promising, but I am still open for other suggestion ;)
Will try to find a cdp trace with a bit more information than in the ones uploaded to the wireshark wiki.


Jan

On 18.12.2009, at 10:56, Stephen Fisher wrote:

> 
> On Dec 18, 2009, at 2:11 AM, Jan Gerbecks wrote:
> 
>> -------------------------------------------------------------------------------------------------------------------------------------------------------------
>> | FieldID 8bit	| Length 16 bit | Data as specified in FieldId and  
>> described by length	| FieldID | Length | Data|---		|
>> -------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> This looks just like the common Type-Length-Value (TLV) format (http://en.wikipedia.org/wiki/Type-length-value 
> ) used in protocols such as Cisco Discovery Protocol (CDP) and many  
> others.  Unfortunately, Wireshark does not have built-in routines for  
> easily handling TLV data right now.  Try looking at how the CDP  
> dissector handles it (epan/dissectors/packet-cdp.c).  Maybe others can  
> suggest a better example dissector.
> 
>> To dissect this correctly, I could obviously try to define the  
>> maximum number of PNRP Ids in the hf_register_info hf[] Array but  
>> that doesn't seem like a very elegant solution.
> 
>> I had a look at the vnc dissector but it didn't quite solved the  
>> same problem.
> 
> Yeah.. As the writer of a lot of the VNC dissector, I would say that  
> it's probably not a good example as the total length of the nested  
> messages in VNC usually isn't known at the beginning of the message,  
> so it's kind of a hack to get it to work at all :).
> 
> 
> Steve
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube