Thank you very much! I appreciate the advice/clarifications, I'll dig into packet-rwall :-)
Andrew On Thu, Apr 23, 2009 at 1:47 PM, Guy Harris <[email protected]> wrote: > > On Apr 23, 2009, at 1:24 PM, Andrew Kleinerman wrote: > >> My current project is integrating a small protocol into Wireshark for >> analysis and I feel a little out of my depth. The protocol is sent >> over TCP on a non-standard port and uses the Sun XDR RPC. > > Do you mean "use XDR" or "use RPC"? > > If you're just using XDR, take a look at the NDMP dissector (epan/ > dissectors/packet-ndmp.c); that's an example of a protocol using XDR > *without* being based on ONC RPC. > > If you use RPC... > >> I went >> through the step-by-step guide of creating a basic dissector, and >> Wireshark will recognize it as the new protocol. However, my problem >> is that I cannot call dissect_rpc or dissect_rpc_tcp from my dissector >> (I'm assuming for some good reason) to dissect the RPC. > > ...then, in Soviet Wireshark, RPC dissector calls YOU! (Sorry, I > couldn't resist. :-)) > > I.e., if your dissector uses ONC RPC, when your dissector registers > its program number (with rpc_init_prog()) and its handlers for its > procedures (with rpc_init_proc_table()), that tells the RPC dissector > how to recognize your protocol; it will call the handlers for your > procedures when it recognizes a call to or reply from one of them. > > See, for example, epan/dissectors/packet-rwall.c. > >> So I'm >> guessing I have to make the RPC dissector properly see it on a >> different port (is that right?). > > No. The RPC dissector will handle that for you - it doesn't care what > port the traffic uses, as the only ONC RPC-based protocol that > *requires* a particular port number is the portmapper/rpcbind protocol > (because it's the protocol that's used to find the particular port > number/transport-layer address, on a particular server, that a > particular RPC program uses). > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe > ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
