I intend to dissect last 12 bytes of my protocol packet and for that i am using eth.trailer subdissector list of standard ethernet dissector. And we know that in IP header we have a field of 2 bytes which denotes total length of IP packet.Also i assume IP dissector must have done its dissection before my dissector will get called. So is there any way to retrieve that value from *pinfo ?? I hope i am clear. asked 14 Jun '12, 00:51  yogeshg |
3 Answers:
You have set a real hard target for yourself trying to keep all Wireshark functionality while dissecting such a violating protocol. What kind of HW or SW is used that overwrites these 12 bytes and the ethernet addresses? I think the way forward (warning: uncharted territory!!!) would be:
answered 15 Jun '12, 09:19  SYN-bit ♦♦ edited 15 Jun '12, 09:21 Boss,
This part is the only hurdle.I will have to plunge into default eth dissector to comprehend how that is being done. (15 Jun '12, 09:35) yogeshg 1 As I mentioned, copy the default eth dissector and remove the unnecessary parts. After all, you know that it's a "default" IP packet you're after, so no need to take care about all the other ethernet stuff, basically just the mac addresses, protocl type (IP) and possibly padding. Easy one ;-)) (15 Jun '12, 09:46) Kurt Knochner ♦ Can't thank enough both of you , earlier i was not sure of what i am doing , now that atleast i know how to go forward , i should be able to do it. (15 Jun '12, 09:55) yogeshg can you please tell us what kind of cluster software or loadbalancer (if any) causes that behaviour? Is it something "home-brewed" or is it available on the market? I want to store that information somewhere deep in my skull, just in case I'll see that ever again in the wild ;-) (15 Jun '12, 09:57) Kurt Knochner ♦ Is it possible to have plugin calling another plugin in wireshark ? if yes , please point examples , thanks (18 Jun '12, 04:27) yogeshg |
I'm not sure what you mean, as you are mixing ethernet trailer with last 12 bytes of IP payload in your question. If the 12 bytes you want to dissect are part of the IP payload, then you need to follow the normal path and let the protocol that has your 12 bytes as its payload call your dissector. If your 12 bytes come after the IP payload, then it will indeed be handled as ethernet trailer and you will need to add your dissector to the ethernet trailer dissector list. Your dissector will then be called with a TVB pointing to the first byte after the IP payload, so that should be the first byte of your 12 bytes. You have to be aware though, that there might or might not be a FCS in the trailer as well. It would help if you could upload a tracefile with a few of the packets you want to dissect to www.cloudshark.org and post the link to it here. answered 14 Jun '12, 10:24 SYN-bit ♦♦ Hi SYN-bit Yes it's last 12 bytes of IP payload. But the criteria on which i will want my dissector to be called is eth.dst has to be of certain pattern.(02:00:6f:A:B:01) A and B can belong to a range. So for this i am bound to use eth.heuristics ,or can i use normal ip disssector also and use negative offset with TVB to get to eth.dst in order to check it ? .. I believe all this trouble is because my protocol data and the criteria part(eth.dst) lie far ahead from each other. Tried uploading trace but no packets are showing up.It says "No packets were found" (14 Jun '12, 16:36) yogeshg Did you try to upload a file in libpcap format? (14 Jun '12, 16:51) SYN-bit ♦♦ disector_add() is used for definition of criteria right ? and most of examples i saw ,use tcp.port or udp.port equal to some value. But my case is different , i want packets whose eth.dst is of certain pattern as i mentioned above. That's why i am using eth heuristic dissector. But when we have heuristic dissector , our dissector gets called before that frame (eth in this case) is touched by wireshark. correct me if i am wrong (14 Jun '12, 17:04) yogeshg No , i tried to upload in .cap format not pcap ,can you send me your email address at yogesh.gg@hotmail.com , i will send you file itself or check your facebook message :) (14 Jun '12, 22:20) yogeshg (14 Jun '12, 22:40) yogeshg OK, I just took a look at your data. Since "your protocol" seems to change the dst mac address and the last 12 bytes of the IP payload, I'm not sure how you want to dissect this.
(15 Jun '12, 08:48) SYN-bit ♦♦ Or will the following do for you: Ethernet Dissection Padding Dissection of your 12 bytes If that's the case, you should change the Ethernet dissector to recognize your special mac-address and call your dissector as next (instead of the IP dissector). Then in your dissector, you need to extract the IP length from the IP header to get the offset to your 12 bytes. Show the "padding" as hexdata and then show the dissection of your protocol. (15 Jun '12, 08:52) SYN-bit ♦♦ You might want to create a new TVB with the IP header and payload up to, but not inlcuding your 12 bytes. Get those dissected by calling the IP dissector and when the dissector returns, dissect your 12 octets. I'm not 100% sure though if that will work, I would have to work that out myself. (15 Jun '12, 08:54) SYN-bit ♦♦ Hi yogeshg, Just a neat FYI - if you're using CloudShark you can actually embed the filter directly in the URL, thus: http://www.cloudshark.org/captures/7e77eba8a6cb?filter=eth.dst%3D%3D02%3A00%3A6f%3A01%3A02%3A01 (When you hit apply filter, the URL will change so you can copy it easily). /CS (19 Jun '12, 08:25) cloudshark showing 5 of 9 show 4 more comments |
yogeshg, you are asking a lot of questions about how to write a dissector during the last weeks, which is absolutely fine. You say, you need to filter on a specific dst mac address. Then you show a sample (Frame 385) that looks like a somehow "crippled" HTTP request. BTW: There are other, "crippled" HTTP requests to that dst mac. Why is that? So, what are you excatly trying to do with your dissector? I'm not sure you really need a dissector. Can you show a binary packet you want to dissect and the logical structure of the data in that packet? You need that information anyway if you want to dissect the packet. BTW: Why do you want to filter on the dst mac address? Your sample is TCP on port 80. So, why not just add a heuristic TCP/HTTP dissector? Are you interested in the structure of the payload or just the fact that there are packets with that dst mac address? answered 15 Jun '12, 04:55  Kurt Knochner ♦ edited 15 Jun '12, 05:10 Yes Kurt , its a HTTP packet in this case but in general it can be any packet with that specific dest mac.That is not crippled but chunked HTTP packet , usually when size is big we do this. In that chunked packet , if you click on HTTP header , then last 12 bytes will get highlighted below. That is precisely the part which i want to dissect.And this dissection i want to be done only on packets whose eth.dst is of that specific pattern. In that packet, below you can see all the binary and all the info you asked for. I gave the filter just because you guys can see what i want. (15 Jun '12, 05:17) yogeshg Thanks for you comment first. It can be any packet , http,udp,icmp whatever. That's why i can rely only and only on eth.dst. There are other HTTP requests also because trace was taken during traffic running. So only we are seeing lot of http requests. Two things i want :
That's it. (15 Jun '12, 05:29) yogeshg UPDATE: see my comment below (15 Jun '12, 06:57) Kurt Knochner ♦ Actually this packet is being steered from one node(a device) to another when any packet from client falls on wrong node. So from client it can be any packet icmp,http .. isn't it ? :) I just got what i wanted.. for dst mac pinfo->dl_dst and i also need to know about src mac .. pinfo->dl_src ?? (15 Jun '12, 07:04) yogeshg
crazy "protocol", isn't it? I'm just curious: Why are you doing that??? If it's always an IP packet, why not adding a heuristic IP dissector? HOWEVER: I'm not sure if that's possible, as I could not find one in the sources!! Within that dissector you can look for the dst mac (maybe pinfo->dl_dst) as soon as your dissector gets the packet. If the dst mac matches, look for your magic bytes (if there are any), possibly at position "pfino->iplen - 12" (or something similar). If neither condition matches return from your dissector. UPDATE: I don't think you can add a heuristic IP dissector, as packet-ip.c does not try to call heuristic dissectors. In that case, you can try to add a TCP and UDP heuristic dissector instead. I believe a heuristic ICMP dissector is also not possible (can't find code in packet-icmp.c). If that does not work for you, there is still the fallback to the heuristic ethernet dissector :-) However, with the information given in this thread, somebody with good experience in writing dissectors, might be able to help you. I'm still diving into the wireshark code and there is a lot I don't understand (from the code and data structure perspective). What you need:
(15 Jun '12, 07:08) Kurt Knochner ♦
Is this some kind of cluster protocol? I have seen some traffic in your capture that looks like cluster communication. (15 Jun '12, 07:11) Kurt Knochner ♦ Kurt, Whatever you just mentioned in "What you need" , i did precisely same in first attempt. But it didn't work. Because when we make heuristic eth dissector , our dissector gets called for every packet before wireshark touches the eth frame and TVB points to first bit of eth header. But problem is, when i did the dissection of those 12 bytes and i called eth dissector using "call_dissector(eth_handle ....)" function , in that call actually it again calls my heuristic dissector with TVB still pointing to first bit of eth header. IF you see line number 249 in packet-eth.c you can find it. (15 Jun '12, 08:14) yogeshg So it becomes loop kind of thing , because i will use call_dissector function inside my heur_dissect_proto function ..and in turn call_dissector will again call my heuristic dissector. I hope you will follow all what i said. That's why the procedure you mentioned won;t work !! Thanks anyways for your patience Sir! (15 Jun '12, 08:14) yogeshg you should not call the eth dissector in YOUR eth dissector, as it will "loop", as you mentioned. You need to parse the whole data yourself in your own eth dissector, as it will be called very early in the whole dissection process, so you can't access any IP, TCP data structures, as they are not there. No other dissector has been called for that packet, and you should not call any one of them yourself unless you know very well what happens then. So, basically you need to (kind of) rebuild the basic functionality of the eth and ip dissector to get to the data you need. First look at the eth dst address (see eth fram spec). Look at the protocol field. If it's IP, look at the IP len field and extract the data you need (last 12 bytes). If you are not interested in the dissection if the IP,TCP,UDP,ICMP part, then you can add your own information to the tree and tell wireshark to stop dissecting the packet any further. However, if you want other dissectors to be called as well (on such a packet), then it get's really tricky. (15 Jun '12, 08:34) Kurt Knochner ♦ No i want to dissect every bit :) .. i tried calling ip dissector in my heuristic dissector and that worked only thing is eth part was not dissected. And you told that pinfo->dl_dst will give me dst.mac right ? I suppose pinfo->dl_src will then give me src.mac. Ok that said, is there any way to get my dissector called for all packets without using heuristic dissector.AFAIK, only heuristic dissector gets called for all packet. (15 Jun '12, 08:48) yogeshg as SYN-bit said, change the default eth dissector to detect your special mac addresses. As long as you don't want this change to be included into the official source, it's probably the best (simple) way to go. (15 Jun '12, 08:58) Kurt Knochner ♦ UPDATE: see my comment below (15 Jun '12, 09:04) Kurt Knochner ♦ I think only way for me is to build up dissection of eth part myself in my eth heuristic dissector. And yes you got it right ,i am supposed to dissect all bits .. (15 Jun '12, 09:07) yogeshg 1
Do I get this right? You want to see ALL protocol details (Eth, IP, UDP, TCP, HTTP) plus your 12 last "magic" bytes beeing dissected by your own dissector? If so, you will have a hard time doing this, without some severe changes to wireshark, as those 12 last bytes can be part of any protocol (as you said). Just a wild idea: Change the default eth dissector to trigger on your mac address. If that trigger fires, look at the last 12 bytes of the packets. If they contain some magic bytes, remove those 12 bytes from the packet (adjust the length) and call the ip dissector. As soon as that dissector returns, add the 12 bytes back to the packet and dissect them yourself within the eth dissector. (15 Jun '12, 09:12) Kurt Knochner ♦ 1
The better (and possibly easier) way would be to fix your cluster protocol ;-)) (15 Jun '12, 09:14) Kurt Knochner ♦ Nice suggestion , until now i was not even thinking of changing default source :) , thanks a ton , i should try to do it.thanks again (15 Jun '12, 09:18) yogeshg you can also do this:
(15 Jun '12, 09:21) Kurt Knochner ♦ showing 5 of 17 show 12 more comments |
Com'on folks please help , its a humble request... To make myself clear let me rephrase :
I want to write dissector which will dissect packets whose eth.dst is of a certain pattern. For that i am using heuristic dissector.
But , my data, which i want to dissect is located at end of the IP payload . We can also say it's at end of eth payload or ip payload or tcp payload ..
That's why i think i should use eth.trailer subdissector for this.
But my heuristics need to access eth.dst, which will be already dissected when my dissector gets called isn't it ?
So for that i was wondering if we have any way to fetch eth.dst from pinfo pointer ?