I'm writing a dissector for what is essentially a Google Protocol Buffers message. The details aren't important; I end up with a number of fields of bytes. All this is working well.
Now, sometimes, and not intrinsically recognizable from the data, a field of bytes may itself be a full message. Is it possible to register the dissector so that I can select just the one data field and say "Decode as..." and interpret the field as another message?
(Background: While Protocol Buffer messages contain enough information to describe how long each field is, there is no information on what the field means. It may be just a string of data, or it may be a nested message. That’s why there cannot be any other sensible default action that treat a field as an opaque byte string. Only the human operator, who can consult the out-of-band schema, can decide whether the byte string is actually supposed to be a nested message.)
asked 22 May ‘13, 06:27
edited 22 May ‘13, 06:47
Currently, "Decode As..." is not a general mechanism for which arbitrary dissectors can register a table (so that, for a packet containing the protocol the dissector handles, you can choose to decode something carried by that protocol as some other protocol) and arbitrary dissectors can register in that table (so that they can be chosen with "Decode As...".
You could create a preference in your dissector to let you select a protocol to decode the payload as.
answered 22 May '13, 12:45
Guy Harris ♦♦
It might be possible, but that would be really hard to implement.
Why not heuristically look at the data bytes. If you assume it is nested, you can extract the length field from the data bytes and then compare that to the actual length of the data bytes. If it matches, you can assume that it is indeed nested. If not, you must assume it is just a data field.
And maybe there are other constraints in the formatting of the data field that you could use to strengthen the heuristics.
answered 22 May '13, 08:01