Is there a hueristic dissector I can follow to write my dissector. Can
someone please point me to a sample program or some documentation on this.
Thank you
Neha
On 11/17/06, Neha Chahal <[EMAIL PROTECTED]> wrote:
Thank you !
My capture file just has packets in my protocol format. It does not have
udp or tcp packets encapsulating other protocols ( for now ) . It is
strictly binary stream in the LEA format. So I think I should write a
hueristic dissector. Will this work ? Right now the TCP/UDP headers are
already stripped off by the application layer. Can i just right a dissector
independent of the udp/tcp ports/protocol. ?
And I will move to wireshark. I have already actually.
Thank you
Regards, Neha
On 11/17/06, Guy Harris < [EMAIL PROTECTED]> wrote:
>
>
> On Nov 17, 2006, at 2:53 PM, Neha Chahal wrote:
>
> > I have a dissector and a capture file. I am not capturing packets on
> > the network.
> >
> > This is how I execute tethereal.
> >
> > tethereal -r capture.out -V -T pdml
> >
> > 1. I wrote a module in the wiretap/ dir and tethereal is able to
> > understand the format of my capture file. Here I think the seek_read
> > method is not bieng called. Isn't this the method that gives the
> > packet to the dissector?
>
> No.
>
> That is one of the *two* methods that are called by the code that,
> after calling those methods and getting packet data, calls the top-
> level dissection code.
>
> The other method is the read method. Since TShark (which is what you
> should be using, not tethereal; see the parenthetical note below)
> sequentially reads through the capture file, it uses only the read
> method, not the seek_read method.
>
> (Note that any help we give you will be help that pertains to working
> with the latest version of the code, and the latest version is called
> Wireshark, not Ethereal, and the command-line version is called
> TShark, not Tethereal; if you're going to be developing protocols, I
> strongly suggest that you do so with the latest release of Wireshark,
> or with the top-of-tree Subversion tree of Wireshark, rather than with
> the last version of Ethereal that was ever produced.)
>
> > 2. But my problem is that it doesnot call my dissector.
> >
> > in the dissector code I have the -->
> > dissector_add("udp.port " , ...) .
> >
> > Question is : I want to use a capture a file not a port to listen on.
>
> The "port" refers to the source and destination port fields in the UDP
> header, not to a network port on which you would be capturing.
>
> That call implies that your protocol runs on top of UDP. Either
>
> 1) it has a standard UDP port number that it always uses, in
> which
> case you specify that UDP port number
>
> or
>
> 2) it doesn't have a standard UDP port number, in which case you
> will
> have to do one of the following:
>
> 1) write a heuristic dissector that looks at packets and
> tries to
> determine whether they look like packets for your protocol;
>
> 2) add a preference setting to your dissector, allowing
> one or more
> UDP port numbers to be specified, and register it using those port
> numbers (and re-register if that preference is changed) - you'd be
> able to set that preference value from the command line in TShark with
> the "-o" option;
>
> 3) register it as a UDP dissector with no port number
> and, in a
> capture, select a packet that you think is a packet for your protocol
> and use the "Decode As" menu item to decode it using your dissector -
> that, obviously, won't work with TShark at all.
>
> > Is there some thing else I need to specify instead of the "
> > udp.port", if I have to what is this ? Does it matter?
>
> See above.
>
>
> > 3. I know my dissector registers with tethereal. But I dont know on
> > what criteria does tethereal decide to call my dissector.
>
> See above. It has to register itself in such a way as to *tell*
> Wireshark or TShark when to call it, for example, by registering as a
> heuristic dissector (in which case it's called if no other dissector
> has dissected it yet, and your dissector either returns FALSE to
> indicate that it's not a packet for your protocol or dissects it and
> returns TRUE to indicate that it is a packe for your protocol), or by
> registering with the "udp.port" dissector table with a particular port
> number (in which case a UDP packet to or from that port number will be
> dissected by your dissector), or by registering it as a UDP dissector
> with no port number (in which case it'll be used to dissect packets if
> you tell Wireshark to do so using Decode As).
>
> > 4. Currently the output with -V option shows the bytes in each frame
> > but the protocol is "data". Also I tried printing some logs in the
> > call_dissector method and saw the current_protocol values to be
> > FRAME, DATA and MATE at runtime. I want this to be my protocol.
> >
> > This is what my output look like
> >
> >
>
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> >
> > The current protocol is [<Missing Protocol Name>] The protocol is
> > [Frame]: The protocol is [Data]: The current protocol is [Frame]
> > The protocol is [MATE]:
> > <packet>
> > <proto name="geninfo" pos="0" showname="General information"
> > size="25">
> > <field name="num" pos="0" show="15" showname="Number" value="f"
> > size="25"/>
> > <field name="len" pos="0" show="1149" showname="Packet Length"
> > value="47d" size="25"/>
> > <field name="caplen" pos="0" show="25" showname="Captured
> > Length" value="19" size="25"/>
> > <field name="timestamp" pos="0" show="Nov 9, 2006 10:39:
> > 34.000634553" showname="Captured Time" value=" 1163097574.000634553"
> > size="25"/>
> > </proto>
> > <proto name="frame" showname="Frame 15 (1149 bytes on wire, 25
> > bytes captured)" size="25" pos="0">
> > <field name="frame.marked" showname="Frame is marked: False"
> > hide="yes" size="0" pos="0" show="0"/>
> > <field name="frame.time " showname="Arrival Time: Nov 9, 2006
> > 10:39: 34.000634553" size="0" pos="0" show="Nov 9, 2006
> > 10:39:34.000634553"/>
> > <field name="frame.time_delta " showname="Time delta from
> > previous packet: 0.000017267 seconds" size="0" pos="0" show="
> > 0.000017267"/>
> > <field name="frame.time_relative " showname="Time since reference
> > or first frame: 0.000024200 seconds" size="0" pos="0"
> > show="0.000024200"/>
> > <field name="frame.number" showname="Frame Number: 15" size="0"
> > pos="0" show="15"/>
> > <field name="frame.pkt_len" showname="Packet Length: 1149 bytes"
> > size="0" pos="0" show="1149"/>
> > <field name="frame.cap_len" showname="Capture Length: 25 bytes"
> > size="0" pos="0" show="25"/>
> > <field name="frame.protocols" showname=" Protocols in frame:
> > data" size="0" pos="0" show="data"/>
> > </proto>
> > <field name="data"
> > value="85e4c90400095031455375e670001902000d00ce000f0800e6"/>
> > </packet>
> > </pdml>
>
> There's no UDP in there, there's just "data". Registering with a
> particular UDP port won't do you any good, there - and neither will
> registering as a heuristic dissector for UDP.
>
> What protocols are in the capture file you're reading?
> _______________________________________________
> Wireshark-dev mailing list
> [email protected]
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
--
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414
--
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev
