Thanks this may prove helpful. I am using 0.99.3 though, are the differences
so profound that I should upgrade? (I would also have to build it myself since
I've already written a plugin that I also use for another purpose).
I did notice upon further inspection that the traffic is "encapsulated" in
other words after the initial UDP packet headers I have approximately 5 bytes
of data and then it appears it may be IP and UDP header stuff again. I am
still trying to figure it out but being "encapsulated" makes sense since it is
a VPN tunnel. I thought it was PPP but now I am a not so sure.
I think I need a little further analysis before I can determine the appropriate
approach, but thanks a lot for your input. I'm sure it will come in handy.
Regards,
Bill
Douglas Pratley <[EMAIL PROTECTED]> wrote: I'm looking at a similar thing
at the moment with a view to adding some UI features allowing a more arbitrary
selection of protocol in "decode as", but anything I do will be a few weeks
away.
If you're running 0.99.4 and you're happy to look at the code to work out how
the particular dissectors are working, and to write Lua macros, then you might
be able to do something by manipulating the dissector tables using Lua.
Look at
http://wiki.wireshark.org/Lua
http://wiki.wireshark.org/Lua/Dissector
_If_ you can identify the protocol you want to direct the packets to (PPP?),
_and_ the one that you are directing from (UDP?) you might be able to set UDP
port <x> to dissect as PPP.
Failing that, if you can just add the PPP dissector to the underlying
protocol's heuristics table (if it has one), I think it will appear in the
"decode as" list.
This is all a bit vague because I have just started looking at this; it may
or may not work, and I don't know if it's the sort of hackery you're looking
for.
---------------------------------
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Fassler
Sent: 08 December 2006 22:58
To: Community support list for Wireshark
Subject: [Wireshark-users] openvpn and packet sniffing
I have tried both suggestions for me to view the RTP/SIP/SDP traffic contained
in the UDP packets travelling through an OpenVPN tunnel. Neither worked for
this reason: The payload of the UDP packets do indeed contain such traffic as
RTP SIP etc as appropriate, but they are all preceeded by a tunneling
protocol. In my case it appears to be PPP. I can not use "Decode as" because
in the transport options PPP is not listed. This is unfortunate because
obviously there are dissectors or plugins in the Wireshark software that will
do the trick but I don't seem to have them available to dissect the protocol
when it is in the payload instead of the link layer. I am trying to confirm
that the protocol is indeed PPP. In the mean time is there anyway to add more
options to the decode as within the transport layer?
Bill
---------------------------------
Check out the all-new Yahoo! Mail beta - Fire up a more powerful email and
get things done faster.
This message should be regarded as confidential. If you have received this
email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by
an authorised signatory. The contents of this email may relate to dealings
with other companies within the Detica Group plc group of companies.
Detica Limited is registered in England under No: 1337451.
Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.
_______________________________________________
Wireshark-users mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-users
---------------------------------
Need a quick answer? Get one in minutes from people who know. Ask your question
on Yahoo! Answers.
_______________________________________________
Wireshark-users mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-users
