So, I'm developing a dissector for a custom protocol (let's call it foo for now), part of that protocol is an incrementing sequence number, which we call a heartbeat, it's synonymous with "Packet Number" (this hbt = last_hbt++, very simple to check to see if we missed a packet).
I've been trying to get this working with the conversation interface, but I've run into an issue. I can't work out how to compare two adjacent packets' heartbeats.
Here's what I've got for the conversation code.
Every packet in the packet list is marked “Skipped Heartbeat!”, when it really shouldn’t be (I have a packet generator with a switch so I can inject bad packets BTW).
I guess this is because the dissector isn’t being passed the packets in order, as I would expect, so my next step was to look at TCP to see how it does it(packet-tcp.c & packet-tcp.h), but I just can’t follow it, there are whole function chains which seem to go nowhere, so, how the hell do I step through the conversation chain and test for no sequential packets??
Thanks in advance,
asked 20 Sep ‘12, 06:34
edited 20 Sep ‘12, 07:01
The problem is that Wireshark will run through the packets once sequentially, but also goes through the packets at random to create the protocol tree to display.
Every frame will be marked "visited" on the first run, so you can use this to flag to do the dissection of each frame. If your dissection depends on the order of frames, use the following macro:
Also make sure that you need to save your dissection results that are sequence dependent in "per packet data" in the conversation table. See "2.5 Per-packet information." in doc/README.developer. For more details :-)
answered 20 Sep '12, 07:07
OK, So I was able to get this working a lot faster than I thought. Here's my code.