Re: Duplicating TCP dissector

[Tyson Key <tyson.key () gmail com>]

Hi Randy,

Whilst it's probably not the best way, you might want to investigate the
technique that I used when developing a dissector for Apple's USBMUX
protocol (which is used to transport TCP data over USB, without IP framing
of any kind).

See bug #6045 on bugs.wireshark.org for the code, and feel free to comment.

I hope that helps,

Tyson.

On 29 June 2011 23:52, Randy Buck <sutekistudent () gmail com> wrote:

> Hi,
>
> I am building many new versions of TCP in user space.  All packet headers
> are the same (IP, then TCP).  The packets will be sent/received over raw
> sockets.  So I can filter out my TCP versions with actual kernel TCP I am
> using other protocol numbers besides 6.  I wish to view these traces in
> wireshark to ensure that the implementations are correct.  I am logging all
> packets to a pcap file and am able to view them fine in wireshark.  The
> issue at hand is that wireshark will only recognize TCP packets if the
> protocol number in the IP field is 6.  I wish to view these packets as a TCP
> trace in wireshark.  As far as I see it, I have a couple of options:
>
> 1. Change the source such that it will recognize the protocol numbers that
> I wish to view as TCP.  I have already changed the IP_PROTO_TCP macro in
> epan/ipproto.h to one of the protocol numbers that I am using, recompiled
> and successfully viewed the trace.  I can see how I could modify all places
> this macro is being used and check for all versions that I have.  This
> approach is neither very  clean nor easily extensible for new protocols and
> could potentially break something if multiple flows evaluated to the same
> protocol. I have also thought of changing the macro to a global variable
> which is set via a command line option.  This would limit wireshark to only
> recognizing one type of flow at a time which is okay, but not perfect.
>
> 2. Use a dissector to duplicate the TCP dissector that exists.  The problem
> here is that I am not sure if writing a dissector for a TCP implementation
> that I am using will still allow me to use the graphing, following, etc. of
> TCP traces.  (This is some of the main functionality that I would like.)
>
> I am open for other suggestions, but my question is, what is the best way
> to view TCP packets/traces in wireshark that do not use protocol 6 in the IP
> header?
>
> --
> Randy Buck
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe



-- 
                                          Fight Internet Censorship!
http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
00447934365844

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe