This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[TAP] Tap listener: request for documentation ressources

0

Hi,

I am currently working on a tap listener and I am struggling on how to get (reassembled) packet informations from it, using a tap listener.

I would like to extract the following information:

  1. tapped protocol payload (without using the "Frame" data source if possible)
  2. protocol tree named field
  3. Documentation/Guide on how to use packet_info/epan_dissect_t ? (I have read README.* and source files but it is still hard to catch)

Tap listener callback I have access to.

static gboolean my_tap_listener_packet(void *tapdata, packet_info *pinfo, epan_dissect_t *edt, const void *tcp);

Example of TCP tree I would like to access named field (no necessary with the name).

Source Port: 443 (443)
Destination Port: 57189 (57189)
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 152    (relative sequence number)
Acknowledgment number: 939    (relative ack number)
Header Length: 20 bytes
.... 0000 0001 0000 = Flags: 0x010 (ACK)
Window size value: 254
[Calculated window size: 65024]
[Window size scaling factor: 256]
Checksum: 0x0b60 [correct]
Urgent pointer: 0
[SEQ/ACK analysis]
    [This is an ACK to the segment in frame: 17]
    [The RTT to ACK the segment was: 0.000140000 seconds]
    [iRTT: 0.000577000 seconds]

Any help or link to documentations (even a README section I would have missed) would be appreciated.

Regards,

asked 21 Sep '15, 08:20

NewUser2's gravatar image

NewUser2
6113
accept rate: 0%

One Answer:

0

So finaly I got something to access protocol layer and the corresponding data (using bad practice for now since I am using tvbuff struct field directly, but I did not found an other way to do this simply). I will update this answer with news on this.

Working on accessing named field.

Part of the Code:

# define LOG_PREFIX "[TAP Listener plugin] => "##__FUNCTION__##"(): "
void    pretty_print_edt_tree(epan_dissect_t const *edt)
{
    proto_node  *node;

if (edt && edt->tree)
{
    node = edt->tree->first_child;
    while (node)
    {
        if (node->finfo)
        {
            if (node->finfo->hfinfo)
                printf(LOG_PREFIX"Node name: %s\n", node->finfo->hfinfo->name);
            if (node->finfo->ds_tvb)
                hex_dump(&node->finfo->ds_tvb->real_data[node->finfo->start], node->finfo->length, 8, 0);
        }
        node = node->next;
        printf(LOG_PREFIX"Going to next node\n");
    }
}



}


//gboolean(*packet)(void *tapdata, packet_info *pinfo, epan_dissect_t *edt, const void *data)
static gboolean tap_packet(void *tapdata, packet_info *pinfo, epan_dissect_t *edt, const void *ssl)
{
pretty_print_edt_tree(edt);
return (0);
}


// TL_REQUIRES_PROTO_TREE and TL_REQUIRES_COLUMNS were used to register the tap listener

Output:

[TAP Listener plugin] => pretty_print_edt_tree(): Node name: Ethernet^M$
[TAP Listener plugin] => hex_dump(): 0x000000:   08 00 27 0e e4 14 08 00   ..'…..^M$
[TAP Listener plugin] => hex_dump(): 0x000008:   27 00 44 90 08 00         '.D…^M$
^M$
[TAP Listener plugin] => pretty_print_edt_tree(): Going to next node^M$
[TAP Listener plugin] => pretty_print_edt_tree(): Node name: Internet Protocol Version 4^M$
[TAP Listener plugin] => hex_dump(): 0x000000:   45 00 00 84 73 7d 40 00   E…s}@.^M$
[TAP Listener plugin] => hex_dump(): 0x000008:   80 06 95 3f c0 a8 38 01   …?..8.^M$
[TAP Listener plugin] => hex_dump(): 0x000010:   c0 a8 38 65               ..8e^M$
^M$
[TAP Listener plugin] => pretty_print_edt_tree(): Going to next node^M$
[TAP Listener plugin] => pretty_print_edt_tree(): Node name: Transmission Control Protocol^M$
[TAP Listener plugin] => hex_dump(): 0x000000:   01 bb df 78 a2 57 49 c1   …x.WI.^M$
[TAP Listener plugin] => hex_dump(): 0x000008:   c9 17 ac be 50 18 01 00   ….P…^M$
[TAP Listener plugin] => hex_dump(): 0x000010:   33 be 00 00 16 03 01 00   3…….^M$
[TAP Listener plugin] => hex_dump(): 0x000018:   57 02 00 00 53 03 01 56   W…S..V^M$
[TAP Listener plugin] => hex_dump(): 0x000020:   01 62 4e 09 09 09 09 09   .bN…..^M$
[TAP Listener plugin] => hex_dump(): 0x000028:   09 09 09 09 09 09 09 09   ……..^M$
[TAP Listener plugin] => hex_dump(): 0x000030:   09 09 09 09 09 09 09 09   ……..^M$
[TAP Listener plugin] => hex_dump(): 0x000038:   09 09 09 09 09 09 09 20   ……..^M$
[TAP Listener plugin] => hex_dump(): 0x000040:   64 f6 ec 95 c2 79 dd 76   d….y.v^M$
[TAP Listener plugin] => hex_dump(): 0x000048:   6f a5 03 ff 94 49 f1 70   o….I.p^M$
[TAP Listener plugin] => hex_dump(): 0x000050:   85 88 df 99 d3 f8 ce 1b   ……..^M$
[TAP Listener plugin] => hex_dump(): 0x000058:   aa b0 a4 bc 80 ed e3 c9   ……..^M$
[TAP Listener plugin] => hex_dump(): 0x000060:   00 35 00 00 0b ff 01 00   .5……^M$
[TAP Listener plugin] => hex_dump(): 0x000068:   01 00 00 0b 00 02 01 00   ……..^M$

answered 22 Sep ‘15, 07:22

NewUser2's gravatar image

NewUser2
6113
accept rate: 0%

edited 22 Sep ‘15, 07:24