Wireshark mailing list archives
Re: Correct way of adding a HTTP subdissector on port 80 with no content type?
From: Tarjei Knapstad <tarjei.knapstad () gmail com>
Date: Tue, 20 Jul 2010 13:32:59 +0200
On 20 July 2010 11:44, Guy Harris <guy () alum mit edu> wrote:
On Jul 19, 2010, at 8:27 AM, Tarjei Knapstad wrote:After some more digging I found that the HTTP dissector does not search for and call subdissectors if there are no unprocessed bytes left in the packet. Does this mean that it's impossible to do any custom processing of HTTP GET requests in a subdissector,Yes. What sort of custom processing are you trying to do?
I've written a dissector that is sort of a meta protocol for network traffic related to a specific set of applications. It currently extracts data from various XML payloads (and computes some values which I add to my meta-protocol to make this traffic easier to filter). For the GET requests I would like to inspect the URI and categorize the calls made ( typically "GET /app/something?cmd=somecommand" ) and possibly also inspect the cookie. For the XML payloads my current solution looks like this: - added DTD's for the XML media types I want to dissect - unregistered the XML dissector for those media types and registered my dissector instead in my dissectors handoff: dissector_delete_string("media_type", "application/something+xml", xml_handle); dissector_add_string("media_type", "application/something+xml", my_handle); - made sure the handoff for my dissector is called last in register.c for the above to have any effect - in my dissector I then call the XML dissector as a "pre-dissector", then extract some values from the XML as well as compute some new ones and add those to my protocol tree The DTD's aren't strictly necessary, but it's nice to have the option of filtering on tags etc. in the XML as well. I guess this "meta dissector" or "interception dissector" of mine doesn't fit too well into the Wireshark architecture, but it does work quite nicely after patching the generated register.c to hijack a subset of the XML media types, and now packet.c to make dissector_delete behave the way I expected it to (see previous reply to Stig). In the same way I now receive all the tcp.port 80 traffic, can call the HTTP dissector from my dissector and then add further metadata if it's one of "my" packets. Regards, Tarjei ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Correct way of adding a HTTP subdissector on port 80 with no content type? Tarjei Knapstad (Jul 19)
- Re: Correct way of adding a HTTP subdissector on port 80 with no content type? Tarjei Knapstad (Jul 19)
- Re: Correct way of adding a HTTP subdissector on port 80 with no content type? Guy Harris (Jul 20)
- Re: Correct way of adding a HTTP subdissector on port 80 with no content type? Tarjei Knapstad (Jul 20)
- Re: Correct way of adding a HTTP subdissector on port 80 with no content type? Guy Harris (Jul 20)
- Re: Correct way of adding a HTTP subdissector on port 80 with no content type? Stig Bjørlykke (Jul 19)
- Re: Correct way of adding a HTTP subdissector on port 80 with no content type? Tarjei Knapstad (Jul 20)
- Re: Correct way of adding a HTTP subdissector on port 80 with no content type? Tarjei Knapstad (Jul 20)
- Re: Correct way of adding a HTTP subdissector on port 80 with no content type? Tarjei Knapstad (Jul 20)
- Re: Correct way of adding a HTTP subdissector on port 80 with no content type? Tarjei Knapstad (Jul 19)