For example, which lines of code do I need to explain wireshark to check
these 4 conditions:
Tom,
How about something like this:
static gboolean dissect_PROTOABBREV(tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree)
{
...
1) first byte must be 0x42
if ( tvb_get_guint8(tvb, 0) != 0x42 )
return (FALSE);
2) second byte is a type field and only can contain values between
0x20-0x33
if ( tvb_get_guint8(tvb, 1) < 0x20 || tvb_get_guint8(tvb, 1) > 0x33 )
return (FALSE);
3) third byte is a flag field, where the lower 4 bits always contain the
value 0
if ( tvb_get_guint8(tvb, 2) & 0x0f )
return (FALSE);
4) fourth and fifth bytes contains a 16 length field, where the value
can't be longer than 10000 bytes
/* Assumes network byte order */
if ( tvb_get_ntohs(tvb, 3) > 10000 )
return (FALSE);
/* Assume it's your packet and do dissection */
return (TRUE);
}
And don't forget to register as a heuristic dissector, at least in the
case of udp and tcp. For ip, you can't simply register as a heuristic
dissector though. For one thing, the ip header contains a protocol
field, which determines the next dissector to be called. So, if you
have a protocol with a unique IP protocol ID, then you can register with
that ID as I've shown below. If that's the case, then you should
probably also change dissect_PROTOABBREV to return int instead of
gboolean since the dissector will be a dual heuristic/normal dissector.
If heuristics fail, still return 0, but if heuristics succeed, then
return the number of bytes dissected by your protocol rather than simply
returning TRUE.
void
proto_reg_handoff_PROTOABBREV(void)
{
static int PROTOABBREV_inited = FALSE;
dissector_handle_t PROTOABBREV_handle;
if ( !PROTOABBREV_inited )
{
heur_dissector_add("udp", dissect_PROTOABBREV,
proto_PROTOABBREV);
heur_dissector_add("tcp", dissect_PROTOABBREV,
proto_PROTOABBREV);
PROTOABBREV_handle =
new_create_dissector_handle(dissect_PROTOABBREV, proto_PROTOABBREV);
dissector_add("ip.proto", IP_PROTO_PROTOABBREV,
PROTOABBREV_handle);
PROTOABBREV_inited = TRUE;
}
}
Good luck.
- Chris
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Stevens
Sent: Saturday, August 30, 2008 7:00 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] heuristic Dissector for Dummies
Thank you very much for your great explanation. Something i had known
before, but thanks anyway.
Particularly the Point " How do these heuristics work?" and your given
example should be very useful for anybody who wants to know how a
heuristic dissector work.
My Problem is, that i have to write an heuristic dissector by my own.
Hence,I need code snippets or something else, that will show me how to
put my ideas (searching patterns) down on paper (C - source code ).
For example, which lines of code do I need to explain wireshark to check
these 4 conditions:
1) first byte must be 0x42
2) second byte is a type field and only can contain values between 0x20
- 0x33
3) third byte is a flag field, where the lower 4 bits always contain the
value 0
4) fourth and fifth bytes contains a 16 length field, where the value
can't be longer than 10000 bytes
My Protocol should work independently from the underlying (i hope this
is the right word) Protocol respectively port numbers.
look at the picture to see what i mean:
http://farm4.static.flickr.com/3185/2802328059_ed78644686_o.png
Hope you could help me, greetings Tom (Germany)
[snip]
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.
_______________________________________________
Wireshark-dev mailing list
[email protected]
https://wireshark.org/mailman/listinfo/wireshark-dev
