Wireshark-dev: [Wireshark-dev] Handing off payloads to the TCP dissector?
From: Tyson Key <[email protected]>
Date: Sun, 19 Jun 2011 01:59:21 +0100
Hi folks,

I'm currently in the process of writing a dissector for Apple's USBMUX protocol (which encapsulates TCP frames with a non-IP-based 8 byte header), as used by their seemingly ubiquitous iProduct family.

So far, I've managed to dissect the "TCP port" and packet length portions of the header - although I'm struggling to actually deal with the TCP payload (which is obviously the interesting bit). I don't see any reason as to why it shouldn't be possible though, given that I can extract the payload from a USB packet and use it to create a trace file with text2pcap plus a custom user-defined DLT value, which can be parsed in Wireshark by adding a new DLT_USER rule that skips the 8 byte preamble...

Having looked at the IPv4 and TCP dissectors for inspiration, I decided to add "dissector_add_uint("usbmux.data", IP_PROTO_TCP, tcp_handle);" to the "proto_reg_handoff_tcp(void)" method in packet-tcp.c - which results in a successful build; although Wireshark bails out during launch with "ERROR:packet.c:719:dissector_add_uint: assertion failed: (sub_dissectors)"). I've also attempted to remove "IP_PROTO_TCP" from the aforementioned addition - although it predictably causes a build error.

I've also briefly skimmed the header files for the IPv4 and TCP dissectors, and planned on trying tcp_dissect_pdus() - although I (probably misleadingly) get the impression that it relates to an internal mechanism for parsing chunks of packets by higher-level (than IP or TCP itself) dissectors, instead.

Any thoughts from others who are more experienced with that portion of the codebase?


Thanks in advance,

Tyson.

--
                                          Fight Internet Censorship! http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | 00447934365844