IP dissector does not recognize my protocol

Question

I'm developing a dissector/protocol as a plugin above Network layer so that The IP dissector will dissect all the IP headers and will look at the "protocol" field to pass the payload to my protocol. let's say the protocol number is " 254 ".
It runs over IP.
What are all the steps needed to do , so that the IP dissector recognize the protocol and it will pass the payload to my protocol ?

This is not a heuristic dissector.

EDIT : my packet-temp.c file contains :

#include "config.h"

#include < epan/packet.h>

#define IP_PROTO_TEMP 254
static int proto_temp = -1;

static void dissect_temp(tvbuff_t *tvb, packet_info *pinfo, proto_tree     *tree)
{
      col_set_str(pinfo->cinfo, COL_PROTOCOL, "TEMP");
      /* Clear out stuff in the info column */
      col_clear(pinfo->cinfo, COL_INFO);
 }

 void proto_register_temp(void)
 {
       proto_temp = proto_register_protocol (
                 "TEMP Protocol", /* name       */
                 "TEMP",      /* short name */
                 "temp"       /* abbrev     */
                 );
  }

  void proto_reg_handoff_temp(void)
 {
      static dissector_handle_t temp_handle;

      temp_handle = create_dissector_handle(dissect_temp, proto_temp);
      dissector_add_uint("ip.port", IP_PROTO_TEMP , temp_handle);
 }

Thanks.

Accepted Answer

2

Hi, This is what packet-tcp.c does:

dissector_add_uint("ip.proto", IP_PROTO_TCP, tcp_handle);

replace IP_PROTO_TCP with your number and the handle with your protocol handle.

permanent link

answered 05 Jun '15, 04:12

Anders ♦
4.6k●9●52
accept rate: 17%

edited 05 Jun '15, 04:13

You should register your protocol with IANA.

(05 Jun '15, 04:26) Anders ♦

Thanks for the reply @Anders . I replaced IP_PROTO_TCP with my protocol number(254) and tcp_handle with my protocol handle. But still I could not see my protocol number in the ipproto.c file or ip.proto table. Am i missing something?

(06 Jun '15, 05:07) Sammee Sharma

I'm not sure what you mean. Isn't your dissector being called? If you check the menu item internal integer dissector tables in.protocol, is your protocol registered there? If not you are not registering it properly.

(06 Jun '15, 07:24) Anders ♦

@Anders sir, I've checked (Internals ->Dissector table -> Integer tables -> ip.proto ) in the wireshark but it's not there. I've attached the packet-temp.c code. please have a look at it . waiting for your suggestion.Thanks.

(06 Jun '15, 07:55) Sammee Sharma

Did you also replace "ip.port" by "ip.proto", as the table to register too?

(06 Jun '15, 09:21) Jaap ♦

with this modification , i see that protocol number(254) in (wireshark -> Internals ->Dissector table -> Integer tables -> ip.proto ) but it is not there in ipproto.c file. should it be not there? @jaap

(07 Jun '15, 05:08) Sammee Sharma

1

No. The dissector_add_uint call causes a run-time modification, not a compile time one. This allows additions of new protocols without having to modify ipproto.c

(07 Jun '15, 08:43) grahamb ♦

showing 5 of 7 show 2 more comments

IP dissector does not recognize my protocol

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions