ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Dissecting a Protocol with multiple static TCP ports

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Craig Bumpstead <cbumpste@xxxxxxxxxxxx>
Date: Mon, 26 Apr 2010 17:28:52 -0700 (PDT)
Bill,

Thanks for the quick response. That setting is off.
The first and second packets are TCP port 4435 and 21016 which it decodes. However from that point on it doesn't decode packets with TCP port 4435.

I loath posting my code, but obviously I am making a mistake somewhere.

#ifdef HAVE_CONFIG_H
# include "config.h"
#endif
#include <epan/packet.h>
#define MYPROTO_PORT 21016
#define MYPROTO_PORT2 4435
static int proto_myproto= -1;
static int hf_myproto_pdu_type = -1;
static gint ett_myproto = -1;
static int hf_myproto_sequence = -1;
static int hf_myproto_spid = -1;
static int hf_myproto_messagetype = -1;

static const value_string packettypenames[] = {
{ 1, "Query Responce Message" },
{ 128, "Control Message" },
{ 255, "Free Format Message" },
{ 0, NULL }
};

void dissect_myproto(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree);

void proto_register_myproto(void)
{
static hf_register_info hf[] = {
    { &hf_myproto_pdu_type,{ "MYPROTO PDU Type", "myproto.type",FT_UINT8, BASE_HEX,VALS(packettypenames), 0x0,NULL, HFILL }},
    { &hf_myproto_sequence,{ "MYPROTO PDU Sequence Number", "myproto.sequence",FT_UINT16, BASE_HEX,NULL, 0x0,NULL, HFILL }},
    { &hf_myproto_afaspid,{ "MYPROTO PDU AFASP ID", "myproto.spid",FT_UINT16, BASE_HEX,NULL, 0x0,NULL, HFILL }},
    { &hf_myproto_messagetype,{ "MYPROTO PDU Message Type", "myproto.messagetype",FT_UINT8, BASE_HEX,NULL, 0x0,NULL, HFILL }},
                };

/* Setup protocol subtree array */
static gint *ett[] = {&ett_myproto};

proto_myproto = proto_register_protocol (
    "MY PROTO Protocol", /* name */
    "MYPROTO", /* short name */
    "myproto" /* abbrev */
                    );
proto_register_field_array(proto_myproto, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
}

void proto_reg_handoff_myproto(void)
{
    static dissector_handle_t myproto_handle;
    myproto_handle = create_dissector_handle(dissect_myproto, proto_myproto);
    dissector_add("tcp.port", MYPROTO_PORT, myproto_handle);
    dissector_add("tcp.port", MYPROTO_PORT2, myproto_handle);
}
static void dissect_myproto(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
        gint offset = 0;
    guint8 packet_type = tvb_get_guint8(tvb, 0);
    col_set_str(pinfo->cinfo, COL_PROTOCOL, "MYPROTO");
    /* Clear out stuff in the info column */
    col_clear(pinfo->cinfo,COL_INFO);
    
if (tree) {  /*we are being asked for details */
    proto_item *ti = NULL;
    proto_tree *myproto_tree = NULL;
    ti = proto_tree_add_item(tree, proto_myproto, tvb, 0, -1, FALSE);
    myproto_tree = proto_item_add_subtree(ti, ett_myproto);
    proto_tree_add_item(myproto_tree, hf_myproto_pdu_type, tvb, offset, 1, FALSE); offset += 1;
    proto_tree_add_item(myproto_tree, hf_myproto_sequence, tvb, offset, 2, FALSE); offset += 2;
    proto_tree_add_item(myproto_tree, hf_myproto_afaspid, tvb, offset, 2, FALSE); offset += 2;
    proto_tree_add_item(myproto_tree, hf_myproto_messagetype, tvb, offset, 1, FALSE); offset += 1;
}
}




----- Original Message ----
From: Bill Meier <wmeier@xxxxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Sent: Tue, 27 April, 2010 8:37:40 AM
Subject: Re: [Wireshark-dev] Dissecting a Protocol with multiple static TCP ports

Craig Bumpstead wrote:
> Hi,
> 
> I am trying to write a dissector for a proprietary protocol. This protocol can use 4 static TCP ports. 
> Thanks to the Wireshark tutorial I have gotten the dissector to work, but only with one static TCP port.
> 
> I have tried:
> dissector_add("tcp.port", 21016, myproto_handle);  
> dissector_add("tcp.port", 4435, myproto_handle);
> ....
> .....
> 
> without any luck, it just decodes the first 2 packets then will only decode packets with TCP port 21016.
> 


I would have expected that the above would result in your dissector code 
being called for any TCP packet which has either of the ports as a 
source or destination.

I'm not sure what you mean by "it just decodes the first 2 packets ...".

Do you mean that it does decode 2 packets with a tcp port of 4435 ?

If so, my guess is that there's something in your dissector code which 
is clobbering something somehow.

Also: make sure you have the tcp protocol option "Try Heuristic 
sub-dissectors first" set to off.
[Edit ! Preferences ! Protocols ! TCP]



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube