Wireshark mailing list archives
Re: Handing off payloads to the TCP dissector?
From: Stephen Fisher <steve () stephen-fisher com>
Date: Mon, 11 Jul 2011 15:16:36 -0600
On Sun, Jun 19, 2011 at 01:59:21AM +0100, Tyson Key wrote:
I'm currently in the process of writing a dissector for Apple's USBMUX protocol (which encapsulates TCP frames with a non-IP-based 8 byte header), as used by their seemingly ubiquitous iProduct family.
Having looked at the IPv4 and TCP dissectors for inspiration, I decided to add "*dissector_add_uint("usbmux.data", IP_PROTO_TCP, tcp_handle);*"
That function is for adding an entry to a "uint dissector table" (see epan/packet.h) by the name of the first parameter. So the usbmux.data dissector table would first have to exist. That isn't quite what you need to do.
Any thoughts from others who are more experienced with that portion of the codebase?
You have TCP segments preceded by an 8 byte non-IP header, so you need to pass that portion of the tvbuff (starting at byte 9 until the end) to the TCP dissector. The TCP dissector registers itself by name with the register_dissector("tcp"... call in epan/dissectors/packet-tcp.c, so all you need to do is look up that handle in your proto_reg_handoff_XXX function like so (even the tcp dissector looks itself up): Make a global variable (not inside a function): dissector_handle_t tcp_handle; Then in proto_reg_handoff_XXX(): tcp_handle = find_dissector("tcp"); Then at the right point in your code - after you dissect those first 8 bytes if possible, create a new tvbuff with the rest of the packet and pass it to the TCP dissector with something like this (untested but should be right): tvbuff_t *payload; payload_tvb = tvbuff_new_subset_remaining(tvb, 8); call_dissector(tcp_handle, payload_tvb, pinfo, tree); Hope this helps. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Handing off payloads to the TCP dissector? Stephen Fisher (Jul 11)