This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am trying to create a dissector for packets which use the TIPC encoding. The dissector will convert the destination port into a meaningful value by comparing against a table as well as doing some analysis on the data. This information would be presented as well as all the TIPC information. I currently have it so "dissect_mydissect(tvbuff_t tvb, packet_info pinfo, proto_tree *tree)" is called for the correct packets, but the data being passed to it in tvb is only the data inside the TIPC packet not the information I need. I see its possible to get the Ethernet and frame data for a packet but is it possible to get the TIPC (or any encapsulating value for that matter) or would I need to create my own TIPC dissector and add my functionality to that.

Thanks for your time,

asked 31 Jul '12, 00:51

John%20Smith's gravatar image

John Smith
6113
accept rate: 0%


If a dissector needs/want information from the encapsulating layer, then that dissector must make that data available somehow and pass it down. That is what packet_info is for. If you have control over both dissectors, you could pass info via a structure in packet_info.private_data.

permanent link

answered 31 Jul '12, 14:26

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks for that, I was using the inbuilt TIPC dissector but as far as I can see it doesn't pass anything into .private_data. I am going to look into possible ways to create my own TIPC plugin by just copying the code and making the plugin overwrite the inbuilt TIPC one and pass through what I need. Failing that I am probably just going to need my own version of Wireshark with a modified TIPC dissector. Those seem the only real two options I have, unless I am missing something obvious. Will post what I ended up doing.

(01 Aug '12, 09:02) John Smith

For my uses I only needed to convert the address into something more meaningful. In order to do this I ended up using "tvb->ds_tvb" where tvb is the passed in value from dissect_mydissect. One problem I had with this is the values appear to be byte reversed but I just did a work around for it. It isn't a pretty way of doing it, and there is almost definitely a better way out there, but for my uses it was fine.

(08 Aug '12, 08:07) John Smith
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×14
×1

question asked: 31 Jul '12, 00:51

question was seen: 1,423 times

last updated: 08 Aug '12, 08:07

p​o​w​e​r​e​d by O​S​Q​A