This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

what determines the position of pointer of tree in main dissection function

0

I have a very basic question.From what i understand , dissector_add determines criteria of wireshark calling my dissector. Now suppose if i have udp.port==7011 kind of filter , then i guess the pointer of "tree"(in dissect_proto) starts from udp packet ? Am i correct ? What will happen if i am using heuristic dissector of "eth" ?

asked 04 Jun '12, 03:04

yogeshg's gravatar image

yogeshg
41222326
accept rate: 0%

One Answer:

0

Not sure where you're going with this, but the pointer 'tree' may point to a node to which your dissector can add proto items. You cannot make assumptions on where this 'tree' is rooted, nor do you have to. You get your data passed down to your dissector in the tvb, and you add your proto items to the proto tree. That's basically it.

answered 05 Jun '12, 04:04

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Then how do i know where is correct place to add my proto items ?

(05 Jun '12, 04:37) yogeshg

As Jaap said, you just add items to the passed in proto tree, nothing to think about.

Your dissector will be called at the right point in the frame dissection as set up by your call to dissector_add_xxx.

If you add a heuristic dissector to the UDP dissector with heur_dissector_add(), your dissector will be added to the chain of heuristic dissectors for UDP, and may get called if nothing in front of you in the chain handles the data.

If you add a dissector to the UDP dissector using dissector_add_uint() with a port preference of 7011, then it will only be called when UDP traffic appears on port 7011.

If you add a heuristic dissector to the eth" dissector your dissector will be added to the chain of heuristic dissectors for ethernet, and may get called if nothing in front of you in the chain handles the data.

(05 Jun '12, 04:52) grahamb ♦

so basically , tree will automatically point at the start of the data which is relevant to my protocol because when we call for eg,

hb_tree = proto_item_add_subtree(ti, ett_hb); where hb is my protocol , hb_tree will contain all my protocol relevant info ? pls correct me if wrong , thanks for your patience :)

(05 Jun '12, 05:05) yogeshg

The tree is where you hang your dissection items. The tvb* you are passed will contain the data for you to dissect, and offset 0 in it will contain the first byte of your protocol, the preceding dissectors having extracted their data payload into the tvb handed to you.

(05 Jun '12, 05:13) grahamb ♦