Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Changing dissector based on TCP options

From: didier <dgautheron () magic fr>
Date: Wed, 01 Sep 2010 07:03:11 +0200
Hi,
Le lundi 30 août 2010 à 21:33 +1000, Edwin Groothuis a écrit :

Hello,

I have been fighting with find_conversation(), conversation_new()
and conversation_set_dissector() to find a way to set change the
TCP payload dissector based on the data in the TCP dissector. All
coming from section 2.2, 2.3 and 2.4 from README.developer.

Programming-wise it all works, output-wise it doesn't. And now I'm
wondering if what I want is possible or not.

Short version: If a certain TCP option exist, then the content of
the TCP payload is not the "well-known" payload associated with the
TCP port number. So even if the TCP port number is port 80, it still
isn't HTTP traffic. How do you know? Because there is a TCP option
which tells me "this is not HTTP, this is an internal protocol.".

In dissect_tcpopt_ourinternal(), I have the following code. Shouldn't
be too difficult: Get the dissector handle, find the conversation,
set the new dissector for that conversation:

    conversation_t *conversation;
    static dissector_handle_t *ourinternal_handle = NULL;

    /*
     * We need to map this TCP session on our own dissector instead of what
     * Wireshark thinks runs on these ports - Edwin
     */
    if (ourinternal_handle == NULL) {
        fprintf(stderr, "Finding ourinternal dissector\n");
        ourinternal_handle = find_dissector("ourinternal");
    }
    if (ourinternal_handle != NULL) {
        fprintf(stderr, "Setting ourinternal dissector? ");
        conversation = find_conversation(pinfo->fd->num,
            &pinfo->src, &pinfo->dst, pinfo->ipproto,

I think pinfo->ipproto isn't the right value, can you try with
pinfo->ptype?

Didier


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: