Wireshark mailing list archives
Re: Custom dissector creation
From: Max Dmitrichenko <dmitrmax () gmail com>
Date: Tue, 6 Dec 2011 04:11:19 +0300
2011/12/6 Andriy Beregovenko <jet () jet kiev ua>:
I'm truing to create custom dissector. Data in protocol is crypted with rc4, so I use internal implementation of RC4 encription and it works fine. Of course I read [0] before writing code :) But I got strange behaivor with result displaing. At time of dump loading and dissector processing data, all data structures is filled correct(I check this using many printf :]).
Wireshark can dissect every single packet a lot of times. The first time it dissects it while dump loading. Then every time you select the packet for the inspection. But you must be sure to decrypt all the packets only once - during the first pass. Keep in mind also that TCP packets can be reordered but you should decrypt the packets only in their proper order. You have to write some kind of stateful dissector with the state assosiated to every packet in the stream. It is rather hard job for the first dissector. Take a look into SSL of SSH dissectors to get the idea. At the time I was writing my own dissector the task of reordering TCP packets was unsolved in a generic case. I wrote the patch for the tcp assembler and commited it to the bug tracker. It requires some help from your (upperlevel) dissector to work but it solved the problem for me. -- Max ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Custom dissector creation Andriy Beregovenko (Dec 05)
- Re: Custom dissector creation Max Dmitrichenko (Dec 05)