This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am building a heuristic dissector for the UDP protocol and would like it to be activated only when the UDP checksum of a packet is 0 (zero).

How shall I approach that?

At the moment, the tvb passed to my UDP heuristic dissector only contains the bytes starting after the UDP header so I cannot check the checksum anymore. Is the checksum value part of pinfo maybe?

I initially tried to set up the dissector with the following command but it did not work: dissector_add_uint("udp.checksum", 0x0000, udp_handle);

This question is marked "community wiki".

asked 02 Mar '15, 05:51

maxvirrozeito's gravatar image

maxvirrozeito
6223
accept rate: 0%


There is no mechanism to support that. Subdissectors don't get passed the headers for the containing protocol, the checksum is not provided in any other fashion, and dissector_add_uint() does not take an arbitrary field as an argument, it takes the name of a dissector table registered by the containing protocol's dissector, and the only table the UDP dissector provides is one for the port number.

Either you'll have to make a hacked version of Wireshark or you'll have to figure out some other way of identifying your protocol's packets (which you should probably do anyway, as there's no guarantee that a zero checksum means it's your protocol).

permanent link

answered 02 Mar '15, 12:29

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I will add all the relevant UDP ports to the dissector table - it will be a better way of detecting my protocol. I initially wanted to avoid that as it involves a few thousands ports.

(03 Mar '15, 09:41) maxvirrozeito
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×10

question asked: 02 Mar '15, 05:51

question was seen: 1,975 times

last updated: 03 Mar '15, 09:41

p​o​w​e​r​e​d by O​S​Q​A