I am building a heuristic dissector for the UDP protocol and would like it to be activated only when the UDP checksum of a packet is 0 (zero). How shall I approach that? At the moment, the tvb passed to my UDP heuristic dissector only contains the bytes starting after the UDP header so I cannot check the checksum anymore. Is the checksum value part of pinfo maybe? I initially tried to set up the dissector with the following command but it did not work: dissector_add_uint("udp.checksum", 0x0000, udp_handle); This question is marked "community wiki". asked 02 Mar '15, 05:51 maxvirrozeito |
One Answer:
There is no mechanism to support that. Subdissectors don't get passed the headers for the containing protocol, the checksum is not provided in any other fashion, and Either you'll have to make a hacked version of Wireshark or you'll have to figure out some other way of identifying your protocol's packets (which you should probably do anyway, as there's no guarantee that a zero checksum means it's your protocol). answered 02 Mar '15, 12:29 Guy Harris ♦♦ |
I will add all the relevant UDP ports to the dissector table - it will be a better way of detecting my protocol. I initially wanted to avoid that as it involves a few thousands ports.