Re: Duplicating TCP dissector

[Jaap Keuter <jaap.keuter () xs4all nl>]

Hi, 

The proper way would be to register the TCP dissector for
your IP protocol number. 

Something like this in
proto_reg_handoff_tcp() : 

 dissector_add_uint("ip.proto", IP_PROTO_,
tcp_handle); 

You could even add a preference for that. 

Thanks,
Jaap


On Wed, 29 Jun 2011 16:52:09 -0600, Randy Buck wrote: 

> Hi, 
> I am
building many new versions of TCP in user space. All packet headers are
the same (IP, then TCP). The packets will be sent/received over raw
sockets. So I can filter out my TCP versions with actual kernel TCP I am
using other protocol numbers besides 6. I wish to view these traces in
wireshark to ensure that the implementations are correct. I am logging
all packets to a pcap file and am able to view them fine in wireshark.
The issue at hand is that wireshark will only recognize TCP packets if
the protocol number in the IP field is 6. I wish to view these packets
as a TCP trace in wireshark. As far as I see it, I have a couple of
options: 
> 1. Change the source such that it will recognize the
protocol numbers that I wish to view as TCP. I have already changed the
IP_PROTO_TCP macro in epan/ipproto.h to one of the protocol numbers that
I am using, recompiled and successfully viewed the trace. I can see how
I could modify all places this macro is being used and check for all
versions that I have. This approach is neither very clean nor easily
extensible for new protocols and could potentially break something if
multiple flows evaluated to the same protocol. I have also thought of
changing the macro to a global variable which is set via a command line
option. This would limit wireshark to only recognizing one type of flow
at a time which is okay, but not perfect. 
> 2. Use a dissector to
duplicate the TCP dissector that exists. The problem here is that I am
not sure if writing a dissector for a TCP implementation that I am using
will still allow me to use the graphing, following, etc. of TCP traces.
(This is some of the main functionality that I would like.) 
> I am
open for other suggestions, but my question is, what is the best way to
view TCP packets/traces in wireshark that do not use protocol 6 in the
IP header? 
> -- 
> Randy Buck

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe