This is our old Q&A Site. Please post any new questions and answers at

I am writing a subdissector for an existing protocol. The existing protocol has a bacapp_dissector_table. In a new file, i am writing a subdissector with following functions void proto_register_bacnetsbt(void) { static hf_register_info hf[] = { { &hf_bacnet_private_transfer, { "Private Transfer", "bacnet.private.transfer", FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL} } }; static gint *ett[] = { &ett_bacnet_sbt, };

/* Register */

proto_BACnet_PT_mr = proto_register_protocol("ABC","BACNET-SBT", "bacnetsbt"); register_dissector("ABC", dissect_BACnet_SBT_UCPT_mr, proto_BACnet_PT_mr);
} void proto_reg_handoff_bacnetsbt(void) { data_handle = find_dissector("data");

proto_BACnet_PT_handle = new_create_dissector_handle(dissect_BACnet_SBT_UCPT_mr, proto_BACnet_PT_mr);
dissector_add_uint("bacapp.vendor_identifier", SBT_VENDOR_ID, proto_BACnet_PT_handle);

static int dissect_BACnet_SBT_UCPT_mr(tvbuff_t tvb, packet_info pinfo, proto_tree *tree) { // My code } I have declared all required variables used in these functions. My dissect_BACnet_SBT_UCPT_mr function gets called correctly from BACnet disssector using bacapp.vendor_identifier. but when this function is called, the tree is null. When i debug, the tree is null even in bacapp function from which my subdissector function is called(existing dissector file for standard protocol - not my subdissector)

If this function in same file as existing bacapp dissector, tree node is not null. Am I missing any registration when i move code to new file?

asked 20 Apr '11, 13:53

dsprabhu4's gravatar image

accept rate: 0%

Is the tree NULL during every invocation of your dissector, or is it only sometimes NULL? Specifically, is the tree variable NULL when the bacapp dissector has already added details to the protocol tree?

(21 Apr '11, 07:26) multipleinte...

In my code, bacapp functions are called first. then function of my code - new subdissector is called. The tree is null every time. It is null also in bacapp functions. I found out this while debugging. This happens only when i move code to a separate file. if i keep code in same bacapp file, then tree is not null. Do we need to call any specific function when i move code to new file?

(21 Apr '11, 08:24) dsprabhu4

Figured out a way to handle this. Thanks everyone.

(22 Apr '11, 10:25) dsprabhu4

@dsprabhu4: Would you mind posting your solution as an answer in case other developers have this problem in the future?

(22 Apr '11, 11:51) multipleinte...

I am exactly not sure of the steps for adding a sub-dissector. but i analyzed packet-snmp.c and followed these steps. It worked for me :)

The protocol which I wanted to enhance supports proprietary services. In existing protocol code file, there

is a table with vendor ids. I wanted to call a function to analyze the proprietary services.

I wanted to add a dissector function in new file and add that function in this existing dissector table.

I created a new file packet-xxx.c

Add this new file packet-xxx.c epandissectors. Add reference of this c file in epanCMakeLists.txt Add reference of this c file in epandissectorsMakefile.common

I added two functions and my code in this new packet-xxx.c file.

• proto_register_xxx – This function creates a sub-dissector for a vendor identifier.

proto_xxx_PT_mr = proto_register_protocol("XXXProto","XXX", "xxx"); new_register_dissector("XXXPT",dissect_XXX_mr, proto_XXX_PT_mr);

The first statement will register sub-dissector. The sub-dissector will be referred by exiting protocol which

i am enhancing for proprietary information.

Second code statement creates the sub-dissector. Here dissect_XXX_mr function will be called when this

sub-dissector will be invoked.

• proto_reg_handoff_xxx – This function adds the dissector created in above function to the dissector


proto_XXX_PT_handle = find_dissector("XXXProto"); dissector_add_uint("table_identifier", XXX_VENDOR_ID, proto_XXX_PT_handle);

Note : "table_identifier" - this string should match with string used for creating dissector table in

existing code.

First code statement finds the dissector handle.

The second code statement is used to add dissector function handle in dissector_table. This is done using

table name – “table_identifier";

XXX_VENDOR_ID should have value which will be present in PrivateTransfer message as vendor id. This should

exactly match.It can be defined using #define.

• My proprietary code is in dissect_XXX_mr function.

I hope that above steps are not confusing because of xxx. I have removed specifics to my customer code.

permanent link

answered 25 Apr '11, 13:04

dsprabhu4's gravatar image

accept rate: 0%

With this, i am not longer getting buffer null. I do not know what changed that has solved problem of NULL buffer.

permanent link

answered 25 Apr '11, 13:06

dsprabhu4's gravatar image

accept rate: 0%

Lori added a method to develop plugins for BACnet PrivateTransfer services (vendor specific code) that doesn't require changes to the existing wirewhark BACnet Application Layer dissector (packet-bacapp.c). Simply create a plugin that implements your dissection rules for PrivateTransfer and register the VendorId with the bacapp dissector.

my_handle = create_dissector_handle(dissect_mypt, proto_mypt);

/* dissector called from bacapp when a PT service matches our vendor code */
dissector_add("bacapp.vendor_identifier", MY_VENDOR, my_handle);
permanent link

answered 31 Aug '11, 11:27

skarg's gravatar image

accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 20 Apr '11, 13:53

question was seen: 3,902 times

last updated: 31 Aug '11, 11:27

p​o​w​e​r​e​d by O​S​Q​A