2011/12/6 Andriy Beregovenko <jet@xxxxxxxxxxx>:
> I'm truing to create custom dissector. Data in protocol is crypted with rc4,
> so I use internal implementation of RC4 encription and it works fine. Of
> course I read [0] before writing code :)
> But I got strange behaivor with result displaing. At time of dump loading
> and dissector processing data, all data structures is filled correct(I check
> this using many printf :]).
Wireshark can dissect every single packet a lot of times. The first
time it dissects it while dump loading. Then every time you select the
packet for the inspection. But you must be sure to decrypt all the
packets only once - during the first pass. Keep in mind also that TCP
packets can be reordered but you should decrypt the packets only in
their proper order. You have to write some kind of stateful dissector
with the state assosiated to every packet in the stream. It is rather
hard job for the first dissector. Take a look into SSL of SSH
dissectors to get the idea.
At the time I was writing my own dissector the task of reordering TCP
packets was unsolved in a generic case. I wrote the patch for the tcp
assembler and commited it to the bug tracker. It requires some help
from your (upperlevel) dissector to work but it solved the problem for
me.
--
Max
