Hey Guys, So, I'm developing a dissector for a custom protocol (let's call it foo for now), part of that protocol is an incrementing sequence number, which we call a heartbeat, it's synonymous with "Packet Number" (this hbt = last_hbt++, very simple to check to see if we missed a packet). I've been trying to get this working with the conversation interface, but I've run into an issue. I can't work out how to compare two adjacent packets' heartbeats. Here's what I've got for the conversation code.
Every packet in the packet list is marked “Skipped Heartbeat!”, when it really shouldn’t be (I have a packet generator with a switch so I can inject bad packets BTW). I guess this is because the dissector isn’t being passed the packets in order, as I would expect, so my next step was to look at TCP to see how it does it(packet-tcp.c & packet-tcp.h), but I just can’t follow it, there are whole function chains which seem to go nowhere, so, how the hell do I step through the conversation chain and test for no sequential packets?? Thanks in advance, Craig. asked 20 Sep ‘12, 06:34 CTNOBLE edited 20 Sep ‘12, 07:01 SYN-bit ♦♦ |
2 Answers:
The problem is that Wireshark will run through the packets once sequentially, but also goes through the packets at random to create the protocol tree to display. Every frame will be marked "visited" on the first run, so you can use this to flag to do the dissection of each frame. If your dissection depends on the order of frames, use the following macro:
Also make sure that you need to save your dissection results that are sequence dependent in "per packet data" in the conversation table. See "2.5 Per-packet information." in doc/README.developer. For more details :-) answered 20 Sep '12, 07:07 SYN-bit ♦♦ showing 5 of 7 show 2 more comments |
OK, So I was able to get this working a lot faster than I thought. Here's my code.
|
Thanks for posting an answer, I do appreciate it, but I need some more info please.
My question my have been a bit vague on exactly what I wanted to know.
I was aware that Wireshark will run through sequentially the first time and then might run through at random on any subsiquent runs.
Which is what the conversation is for, I was under the impression that the "find_conversation()" function would return a different per-packet data structure based on the frame number (first argument to that function), is that true? That said your "visited" macro looks more robust, so I'll go with that.
not enough chars for full comment
If I was to call find_conversation(pinfo->fd->num--, ...) would that return the information from the previous frame in my stream or are the frame numbers not necessarily continuous? Would using a simple global variable be safe enough?
Basically how do I get data from the previous frame dissection into the current one?
Cheers, Craig.
find_conversation() will just give you the index to the conversation data based on addresses, ports and frame_number (as there might be more conversations with the same addresses/ports credentials).
A global variable will not do and neither will data inside your conversation data object, as you need to have the history at hand when your dissector is called for a specific frame.
You need to use the per-packet data to store states per packet.
So, please read the before mentioned paragraph of README.developer, which kind of explains this in more detail.
Thanks for the clarification, on conversations.
So here's some psudo code for what I think I need to do:
I’ll keep experimenting and post back here next week with the actual code just in case anyone else wants to see how I ended up solving this.
Cheers, Craig.
Not exactly, the only time to detect if a heartbeat was lost is in the sequential run, so the check whether a heartbeat was lost should be done in the “packet not seen” block. The result should be stored in the per-packet information.
Something like this:
Ahhhh, this just showed up when I hit OK for my code below.
I guess not retesting everytime might reduce the processing power needed, but wouldn’t this be functionally equivalent code?
Good practice is always worth the effort - I’ll change it next week and edit my answer post.
Thanks again!