This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Retrieving TIPC values in an encapsulated dissector

0

I am trying to create a dissector for packets which use the TIPC encoding. The dissector will convert the destination port into a meaningful value by comparing against a table as well as doing some analysis on the data. This information would be presented as well as all the TIPC information. I currently have it so "dissect_mydissect(tvbuff_t tvb, packet_info pinfo, proto_tree *tree)" is called for the correct packets, but the data being passed to it in tvb is only the data inside the TIPC packet not the information I need. I see its possible to get the Ethernet and frame data for a packet but is it possible to get the TIPC (or any encapsulating value for that matter) or would I need to create my own TIPC dissector and add my functionality to that.

Thanks for your time,

asked 31 Jul '12, 00:51

John%20Smith's gravatar image

John Smith
6113
accept rate: 0%


One Answer:

1

If a dissector needs/want information from the encapsulating layer, then that dissector must make that data available somehow and pass it down. That is what packet_info is for. If you have control over both dissectors, you could pass info via a structure in packet_info.private_data.

answered 31 Jul '12, 14:26

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks for that, I was using the inbuilt TIPC dissector but as far as I can see it doesn't pass anything into .private_data. I am going to look into possible ways to create my own TIPC plugin by just copying the code and making the plugin overwrite the inbuilt TIPC one and pass through what I need. Failing that I am probably just going to need my own version of Wireshark with a modified TIPC dissector. Those seem the only real two options I have, unless I am missing something obvious. Will post what I ended up doing.

(01 Aug '12, 09:02) John Smith

For my uses I only needed to convert the address into something more meaningful. In order to do this I ended up using "tvb->ds_tvb" where tvb is the passed in value from dissect_mydissect. One problem I had with this is the values appear to be byte reversed but I just did a work around for it. It isn't a pretty way of doing it, and there is almost definitely a better way out there, but for my uses it was fine.

(08 Aug '12, 08:07) John Smith