Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] switch between protocols

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 9 Dec 2010 00:26:09 -0800
On Dec 8, 2010, at 11:52 PM, Lange Jan-Erik wrote:

> I realized the behavior using a heuristic dissector now and it works. In my case it is a low level protocol, that doesn't even base on ethernet. I use wtab_encap for reading.
> 
> But the method with the dissector handoff table sounds interesting to me. Unfortunatley I dont have any information about realizing this in my code. In the readme.DELEVOPER I didn't found advanced dissecting techniques like this. There are only simple dissectors described.

Unfortunately, we don't document that in any of the README files.

> Do you know which file an example of such a "dissector handoff table" contains?

packet-udp.c:

	udp_dissector_table = register_dissector_table("udp.port",
	    "UDP port", FT_UINT16, BASE_DEC);

creates a dissector table named "udp.port", with the UI name "UDP port", the key for which is an unsigned integer (assumed to be 16-bit - it could be longer), which would be displayed in decimal if the table is shown in the GUI.

  if (low_port != 0 &&
      dissector_try_port(udp_dissector_table, low_port, next_tvb, pinfo, tree))
    return;
  if (high_port != 0 &&
      dissector_try_port(udp_dissector_table, high_port, next_tvb, pinfo, tree))
    return;

is in the code in the UDP dissector that hands off to the next dissector.  low_port and high_port are, respectively, the lower-valued and higher-valued ports - if the source port is > the destination port, the destination port is low_port and the source port is high_port, whereas if the source port is < the destination port, the source port is low_port and the destination port is high_port.  This also works when there's a single value; see, for example, packet-ethertype.c:

	ethertype_dissector_table = register_dissector_table("ethertype",
	    "Ethertype", FT_UINT16, BASE_HEX);

which creates a dissector table named "ethertype", with the UI name "Ethertype", the key for which is, again, an unsigned integer assumed to be 16-bit, but which would be displayed in hex.

		dissector_found = dissector_try_port(ethertype_dissector_table,
		    etype, next_tvb, pinfo, tree);

is in the code that hands off to the next dissector for an Ethertype (this is used not only in the Ethernet dissector but in other dissectors).  etype is the Ethernet type value.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube