Wireshark-dev: Re: [Wireshark-dev] Correct way of adding a HTTP subdissector on port 80 with no
From: Tarjei Knapstad <[email protected]>
Date: Tue, 20 Jul 2010 13:32:59 +0200
On 20 July 2010 11:44, Guy Harris <[email protected]> wrote:
>
> On Jul 19, 2010, at 8:27 AM, Tarjei Knapstad wrote:
>
>> After some more digging I found that the HTTP dissector does not
>> search for and call subdissectors if there are no unprocessed bytes
>> left in the packet. Does this mean that it's impossible to do any
>> custom processing of HTTP GET requests in a subdissector,
>
> Yes.
>
> What sort of custom processing are you trying to do?

I've written a dissector that is sort of a meta protocol for network
traffic related to a specific set of applications. It currently
extracts data from various XML payloads (and computes some values
which I add to my meta-protocol to make this traffic easier to
filter). For the GET requests I would like to inspect the URI and
categorize the calls made ( typically "GET
/app/something?cmd=somecommand" ) and possibly also inspect the
cookie. For the XML payloads my current solution looks like this:

- added DTD's for the XML media types I want to dissect
- unregistered the XML dissector for those media types and registered
my dissector instead in my dissectors handoff:
   dissector_delete_string("media_type", "application/something+xml",
xml_handle);
   dissector_add_string("media_type", "application/something+xml", my_handle);
- made sure the handoff for my dissector is called last in register.c
for the above to have any effect
- in my dissector I then call the XML dissector as a "pre-dissector",
then extract some values from the XML as well as compute some new ones
and add those to my protocol tree

The DTD's aren't strictly necessary, but it's nice to have the option
of filtering on tags etc. in the XML as well.

I guess this "meta dissector" or "interception dissector" of mine
doesn't fit too well into the Wireshark architecture, but it does work
quite nicely after patching the generated register.c to hijack a
subset of the XML media types, and now packet.c to make
dissector_delete behave the way I expected it to (see previous reply
to Stig). In the same way I now receive all the tcp.port 80 traffic,
can call the HTTP dissector from my dissector and then add further
metadata if it's one of "my" packets.

Regards,
Tarjei