Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Handing off payloads to the TCP dissector?

From: Stephen Fisher <steve () stephen-fisher com>
Date: Mon, 11 Jul 2011 15:16:36 -0600
On Sun, Jun 19, 2011 at 01:59:21AM +0100, Tyson Key wrote:


I'm currently in the process of writing a dissector for Apple's USBMUX 
protocol (which encapsulates TCP frames with a non-IP-based 8 byte 
header), as used by their seemingly ubiquitous iProduct family.



Having looked at the IPv4 and TCP dissectors for inspiration, I 
decided to add "*dissector_add_uint("usbmux.data", IP_PROTO_TCP, 
tcp_handle);*"


That function is for adding an entry to a "uint dissector table" (see 
epan/packet.h) by the name of the first parameter.  So the usbmux.data 
dissector table would first have to exist.  That isn't quite what you 
need to do.


Any thoughts from others who are more experienced with that portion of 
the codebase?


You have TCP segments preceded by an 8 byte non-IP header, so you need 
to pass that portion of the tvbuff (starting at byte 9 until the end) to 
the TCP dissector.  The TCP dissector registers itself by name with the 
register_dissector("tcp"... call in epan/dissectors/packet-tcp.c, so all 
you need to do is look up that handle in your proto_reg_handoff_XXX 
function like so (even the tcp dissector looks itself up):

Make a global variable (not inside a function):

    dissector_handle_t tcp_handle;

Then in proto_reg_handoff_XXX():

    tcp_handle = find_dissector("tcp");

Then at the right point in your code - after you dissect those first 8 
bytes if possible, create a new tvbuff with the rest of the packet 
and pass it to the TCP dissector with something like this (untested but 
should be right):

  tvbuff_t *payload;
  payload_tvb = tvbuff_new_subset_remaining(tvb, 8);
  call_dissector(tcp_handle, payload_tvb, pinfo, tree);


Hope this helps.


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: