This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

UDP heuristic dissector to be invoked only when UDP checksum is zero

0

I am building a heuristic dissector for the UDP protocol and would like it to be activated only when the UDP checksum of a packet is 0 (zero).

How shall I approach that?

At the moment, the tvb passed to my UDP heuristic dissector only contains the bytes starting after the UDP header so I cannot check the checksum anymore. Is the checksum value part of pinfo maybe?

I initially tried to set up the dissector with the following command but it did not work: dissector_add_uint("udp.checksum", 0x0000, udp_handle);

This question is marked "community wiki".

asked 02 Mar '15, 05:51

maxvirrozeito's gravatar image

maxvirrozeito
6223
accept rate: 0%


One Answer:

0

There is no mechanism to support that. Subdissectors don't get passed the headers for the containing protocol, the checksum is not provided in any other fashion, and dissector_add_uint() does not take an arbitrary field as an argument, it takes the name of a dissector table registered by the containing protocol's dissector, and the only table the UDP dissector provides is one for the port number.

Either you'll have to make a hacked version of Wireshark or you'll have to figure out some other way of identifying your protocol's packets (which you should probably do anyway, as there's no guarantee that a zero checksum means it's your protocol).

answered 02 Mar '15, 12:29

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I will add all the relevant UDP ports to the dissector table - it will be a better way of detecting my protocol. I initially wanted to avoid that as it involves a few thousands ports.

(03 Mar '15, 09:41) maxvirrozeito