This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissecting protocol that has message direction based dissectors

0

Hi Forum,

I am writing a dissector for a protocol that has different dissectors depending on the direction of the traffic.

The protocol is Length|FCode|Data. For the same FCode value the Data is dissected differently depending on its direction. Ie device to host and host to device. Sending request and response using same function code value.

How is this typically handled? Are there any example dissectors that do this?

Thanks

Stuart

asked 22 Jan '13, 23:23

StuieNorris's gravatar image

StuieNorris
6557
accept rate: 0%

One Answer:

1

You could do something like:

dir=extract_dir_from_packet(...);
if( dir==FWD ) {
    dissect_foo_fwd(...);
} else {
    dissect_foo_rev(...);
}

If there is nothing in the packet indicating the direction of the packet, you will need to remember the IP address of the host when your dissector gets called for the first data segment. You can do this with conversations. See README.developer paragraph 2.2.1 (especially 2.2.1.5 and 2.2.1.6).

answered 22 Jan '13, 23:51

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I read the referenced section but I understand how to implement. however sounds pretty much exactly what I need.

Are there any existing dissectors that do what I want I could review?

(23 Jan '13, 01:42) StuieNorris