This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I am currently working on a tap listener and I am struggling on how to get (reassembled) packet informations from it, using a tap listener.

I would like to extract the following information:

  1. tapped protocol payload (without using the "Frame" data source if possible)
  2. protocol tree named field
  3. Documentation/Guide on how to use packet_info/epan_dissect_t ? (I have read README.* and source files but it is still hard to catch)

Tap listener callback I have access to.

static gboolean my_tap_listener_packet(void *tapdata, packet_info *pinfo, epan_dissect_t *edt, const void *tcp);

Example of TCP tree I would like to access named field (no necessary with the name).

Source Port: 443 (443)
Destination Port: 57189 (57189)
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 152    (relative sequence number)
Acknowledgment number: 939    (relative ack number)
Header Length: 20 bytes
.... 0000 0001 0000 = Flags: 0x010 (ACK)
Window size value: 254
[Calculated window size: 65024]
[Window size scaling factor: 256]
Checksum: 0x0b60 [correct]
Urgent pointer: 0
[SEQ/ACK analysis]
    [This is an ACK to the segment in frame: 17]
    [The RTT to ACK the segment was: 0.000140000 seconds]
    [iRTT: 0.000577000 seconds]

Any help or link to documentations (even a README section I would have missed) would be appreciated.

Regards,

asked 21 Sep '15, 08:20

NewUser2's gravatar image

NewUser2
6113
accept rate: 0%


So finaly I got something to access protocol layer and the corresponding data (using bad practice for now since I am using tvbuff struct field directly, but I did not found an other way to do this simply). I will update this answer with news on this.

Working on accessing named field.


Part of the Code:

# define LOG_PREFIX "[TAP Listener plugin] => "##__FUNCTION__##"(): "
void    pretty_print_edt_tree(epan_dissect_t const *edt)
{
    proto_node  *node;

    if (edt && edt->tree)
    {
        node = edt->tree->first_child;
        while (node)
        {
            if (node->finfo)
            {
                if (node->finfo->hfinfo)
                    printf(LOG_PREFIX"Node name: %s\n", node->finfo->hfinfo->name);
                if (node->finfo->ds_tvb)
                    hex_dump(&node->finfo->ds_tvb->real_data[node->finfo->start], node->finfo->length, 8, 0);
            }
            node = node->next;
            printf(LOG_PREFIX"Going to next node\n");
        }
    }
}

//gboolean(*packet)(void *tapdata, packet_info *pinfo, epan_dissect_t *edt, const void *data)
static gboolean tap_packet(void *tapdata, packet_info *pinfo, epan_dissect_t *edt, const void *ssl)
{
  pretty_print_edt_tree(edt);
  return (0);
}

// TL_REQUIRES_PROTO_TREE and TL_REQUIRES_COLUMNS were used to register the tap listener

Output:

[TAP Listener plugin] => pretty_print_edt_tree(): Node name: Ethernet^M$
[TAP Listener plugin] => hex_dump(): 0x000000:   08 00 27 0e e4 14 08 00   ..'.....^M$
[TAP Listener plugin] => hex_dump(): 0x000008:   27 00 44 90 08 00         '.D...^M$
^M$
[TAP Listener plugin] => pretty_print_edt_tree(): Going to next node^M$
[TAP Listener plugin] => pretty_print_edt_tree(): Node name: Internet Protocol Version 4^M$
[TAP Listener plugin] => hex_dump(): 0x000000:   45 00 00 84 73 7d 40 00   E...s}@.^M$
[TAP Listener plugin] => hex_dump(): 0x000008:   80 06 95 3f c0 a8 38 01   ...?..8.^M$
[TAP Listener plugin] => hex_dump(): 0x000010:   c0 a8 38 65               ..8e^M$
^M$
[TAP Listener plugin] => pretty_print_edt_tree(): Going to next node^M$
[TAP Listener plugin] => pretty_print_edt_tree(): Node name: Transmission Control Protocol^M$
[TAP Listener plugin] => hex_dump(): 0x000000:   01 bb df 78 a2 57 49 c1   ...x.WI.^M$
[TAP Listener plugin] => hex_dump(): 0x000008:   c9 17 ac be 50 18 01 00   ....P...^M$
[TAP Listener plugin] => hex_dump(): 0x000010:   33 be 00 00 16 03 01 00   3.......^M$
[TAP Listener plugin] => hex_dump(): 0x000018:   57 02 00 00 53 03 01 56   W...S..V^M$
[TAP Listener plugin] => hex_dump(): 0x000020:   01 62 4e 09 09 09 09 09   .bN.....^M$
[TAP Listener plugin] => hex_dump(): 0x000028:   09 09 09 09 09 09 09 09   ........^M$
[TAP Listener plugin] => hex_dump(): 0x000030:   09 09 09 09 09 09 09 09   ........^M$
[TAP Listener plugin] => hex_dump(): 0x000038:   09 09 09 09 09 09 09 20   ........^M$
[TAP Listener plugin] => hex_dump(): 0x000040:   64 f6 ec 95 c2 79 dd 76   d....y.v^M$
[TAP Listener plugin] => hex_dump(): 0x000048:   6f a5 03 ff 94 49 f1 70   o....I.p^M$
[TAP Listener plugin] => hex_dump(): 0x000050:   85 88 df 99 d3 f8 ce 1b   ........^M$
[TAP Listener plugin] => hex_dump(): 0x000058:   aa b0 a4 bc 80 ed e3 c9   ........^M$
[TAP Listener plugin] => hex_dump(): 0x000060:   00 35 00 00 0b ff 01 00   .5......^M$
[TAP Listener plugin] => hex_dump(): 0x000068:   01 00 00 0b 00 02 01 00   ........^M$

permanent link

answered 22 Sep '15, 07:22

NewUser2's gravatar image

NewUser2
6113
accept rate: 0%

edited 22 Sep '15, 07:24

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×173
×40
×16
×3

question asked: 21 Sep '15, 08:20

question was seen: 1,458 times

last updated: 22 Sep '15, 07:24

p​o​w​e​r​e​d by O​S​Q​A