Hi iam developing a dissector similar to already developed dissector.Earlier they have used asn1 file and compiled. they have asn1.dll in plugin folder. (i do have asn1 file withe me) But i have used my own code starting from scratch. i have almost finished 90 % and could not complete as some part is very difficult.I have 3 different layers connection, control and adaption layer. is it possible for me to reverse engineering and get the code? please suggest. asked 09 Oct '14, 02:24  umar |
2 Answers:
Are you aware of the asn2wrs tool that can produce a dissector from an asn1 description (along with some helper files)? Reverse engineering the DLL might be possible, but to get back to anything like the originating C code for the dissector would be a monumental task. answered 09 Oct '14, 03:08  grahamb ♦ |
A comment: If you have a Wireshark "asn1.dll" that suggests that the creator of same has made it publicly available in some manner. If so, since Wireshark is GPLv2 licensed, the creator of the plugin is obliged to provide the plugin source upon request. answered 09 Oct '14, 05:29  Bill Meier ♦♦ |
Hi Grahamb!
Thanks for the reply. I have 3 different layers each come with 100s of payload types which is in the asn1 code.
But how do i create dissector using this asn1 i have gone through some of the examples here using asn2wrs (Toyasn1 ). i have 4 asn1 files all are link to each other .
i have control layer connecion layer and adaption layer. I have heder contains the information on which payload followed by. How do i do this ? please help. Thanks
I'm not sure if this is possible with ASN1 dissectors and\or plugins, but normal dissectors can work in layers such as you describe, for instance the http dissector hands off websocket data to the websocket dissector. When the http dissector registers, it looks for the websocket dissector using find_dissector("websocket"), and then calls that dissector using call_dissector() when it determines that the data is websocket type.
ADAP_PDU DEFINITIONS AUTOMATIC TAGS ::= BEGIN
-- ********
-- Value References
-- ********
maxCdomain INTEGER ::= 4
maxKeySize INTEGER ::= 8192
maxPGAlgoType INTEGER ::= 8
maxRCPacketSizes INTEGER ::= 16
maxRCProfile INTEGER ::= 16
maxRB INTEGER ::= 16
-- ********
-- Type Definitions
-- ********
AdaptationLayerAVP ::= CHOICE { al-short-avp ALShortAVP, al-standard-avp ALStandardAVP }
AdaptationLayerAVPList ::= SEQUENCE { adaptation-layer-avp AdaptationLayerAVP }
AdaptationLayerAVPListLengthAVP ::= BCnAVP
AdaptationLayerAVPListLengthParam ::= INTEGER (0..255)
ALMsgSeqNumber ::= INTEGER (0..15)
ALShortAVP ::= SEQUENCE { length-control BOOLEAN, --{encode as FALSE} al-short-avp-type ALShortAVPType, al-short-avp-length INTEGER(1..8), -- encode as minimum bits from lowest bound param-value CHOICE { -- as appropriate to value of al-short-avp-type .. .. .. .. ..
} }
I've had a quick look at the asn1 dissectors in Wireshark and there are quite a few of them that use call_dissector to hand off data to another dissector, e.g. tcap calls ansi_tcap. Have a look there to see how it is handled and adapt it to your situation.