Hi, I am using the latest version of wireshark 1.8.6, after open the packet capture file, in the Protocol column, it shows TCP instead of Skinny, I know this frame is skinny traffic, maybe new bug for wireshark 1.8.6? I can provide screen dump and packet capture file. Regards Kevin asked 12 May '13, 20:02  TAC edited 13 May '13, 15:45 |
One Answer:
Wireshark, by default, only recognizes:
as Skinny traffic. You probably have traffic to or from Yet Another Port, so you'd have to use "Decode As..." to decode it as Skinny traffic. answered 12 May '13, 23:21  Guy Harris ♦♦ |
Hi, Guy
I just checked the wireshark source code here. http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-skinny.c?view=markup It looks like everything is defined in the packet-skinny.c file. How hard to change the wireshark default behavior and let it recognizes the Skinny traffic? I am new to Wireshark development, any guide on the web?
"Recognize" based on what?
Wireshark can automatically recognize traffic for protocols running atop TCP or UDP based on either
For the former, you'd either have a wired-in set of port numbers and have the dissector register for all those port numbers or have a preference (defaulting to the current set of port numbers) and register for the specified port numbers.
For the latter, you'd have to figure out a pattern in Skinny packets sufficient to recognize all Skinny packets AND sufficient to recognize all packets that aren't Skinny packets and NOT try to dissect them as Skinny packets.
The first of those is easy, but means that the recognition of Skinny packets is only semi-automatic - only a little better than just using "Decode As...". The latter would automatically recognize them, IF it's possible, but is harder, as you'd have to figure out a pattern strong enough to recognize Skinny packets as such and NOT to recognize non-Skinny packets.