Wireshark-dev: Re: [Wireshark-dev] Duplicating TCP dissector
From: Tyson Key <[email protected]>
Date: Thu, 30 Jun 2011 15:30:30 +0100
Hi Randy,

Whilst it's probably not the best way, you might want to investigate the technique that I used when developing a dissector for Apple's USBMUX protocol (which is used to transport TCP data over USB, without IP framing of any kind).

See bug #6045 on bugs.wireshark.org for the code, and feel free to comment.

I hope that helps,

Tyson.

On 29 June 2011 23:52, Randy Buck <[email protected]> wrote:
Hi,

I am building many new versions of TCP in user space.  All packet headers are the same (IP, then TCP).  The packets will be sent/received over raw sockets.  So I can filter out my TCP versions with actual kernel TCP I am using other protocol numbers besides 6.  I wish to view these traces in wireshark to ensure that the implementations are correct.  I am logging all packets to a pcap file and am able to view them fine in wireshark.  The issue at hand is that wireshark will only recognize TCP packets if the protocol number in the IP field is 6.  I wish to view these packets as a TCP trace in wireshark.  As far as I see it, I have a couple of options:

1. Change the source such that it will recognize the protocol numbers that I wish to view as TCP.  I have already changed the IP_PROTO_TCP macro in epan/ipproto.h to one of the protocol numbers that I am using, recompiled and successfully viewed the trace.  I can see how I could modify all places this macro is being used and check for all versions that I have.  This approach is neither very  clean nor easily extensible for new protocols and could potentially break something if multiple flows evaluated to the same protocol. I have also thought of changing the macro to a global variable which is set via a command line option.  This would limit wireshark to only recognizing one type of flow at a time which is okay, but not perfect.

2. Use a dissector to duplicate the TCP dissector that exists.  The problem here is that I am not sure if writing a dissector for a TCP implementation that I am using will still allow me to use the graphing, following, etc. of TCP traces.  (This is some of the main functionality that I would like.)

I am open for other suggestions, but my question is, what is the best way to view TCP packets/traces in wireshark that do not use protocol 6 in the IP header?

--
Randy Buck

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:[email protected]?subject=unsubscribe



--
                                          Fight Internet Censorship! http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | 00447934365844