On Apr 23, 2009, at 1:35 PM, Andrew Kleinerman wrote: > My current project is integrating a small protocol into Wireshark for > analysis and I feel a little out of my depth. The protocol is sent > over TCP on a non-standard port and uses the Sun XDR RPC. I went > through the step-by-step guide of creating a basic dissector, and > Wireshark will recognize it as the new protocol.
The step-by-step guide doesn't apply to ONC RPC-based protocols; they work differently. > However, my problem > is that I cannot call dissect_rpc or dissect_rpc_tcp from my dissector > (I'm assuming for some good reason) to dissect the RPC. So I'm > guessing I have to make the RPC dissector properly see it on a > different port (is that right?). No - as per my reply to your previous message, you don't call the RPC dissector, the RPC dissector calls you. It will heuristically recognize traffic for your protocol on whatever port it appears. > FOO_HEADER: > #define FOO_HEADER 0xaa You're using 0xaa as the program number for your protocol? > I read in the archives > (http://www.ethereal.com/lists/ethereal-dev/199911/msg00094.html) that > it's necessary to make sure the proper header is in COL_PROTOCOL, is > that correct? As in, the packet is identified as an RPC first and > then the RPC dissector looks to find if the header inside matches any > it knows about? That mail was only talking about the "Protocol" column's text set, not to the way the RPC dissector recognizes something as being your protocol. (And we did end up changing things - the Protocol column is now set, for ONC RPC-based protocols, from the "short name" for the protocol, rather than its "filter name". For example, the short name for the NIS server protocol is "YPSERV", and the filter name is "ypserv", so the Protocol column says "YPSERV" but you filter for those packets using "ypserv".) And, yes, the packet is identified as an RPC first and then looks to see if the program number is one of the ones that was registered with it by rpc_init_prog() and, if so, checks whether a program table exists for the version number and, if it finds one, looks for an entry in the program table for the procedure number. > If so, how do you direct the RPC dissector to look on > a different port, or are packets on all ports heuristically checked > with all dissectors? Packets on all UDP and TCP ports are heuristically checked by the ONC RPC dissector. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
