This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do multiple dissectors work in same plugindll ?

0

Hi all,

I am currently trying to write a dissector for my custom protocol. The protocol as most protocols do, has different types of packets which are identified by the first 8 bits of the header. Now i want to display a different structure per each packet. I do realize that we can register multiple dissectors in the plugin.c as in the samples. However i wish to know how to transfer control to a different dissector per different packet once i have deciphered what type of packet it is from the header ? Do we have to return zero or null from one dissector for the next dissector to be called ?

asked 14 Jul '11, 23:13

Imtiyaz's gravatar image

Imtiyaz
1111
accept rate: 0%

retagged 15 Jul '11, 07:57

multipleinterfaces's gravatar image

multipleinte...
1.3k152340

One Answer:

1

It's a pretty straightforward process, but it may not be obvious if your are just starting out. Here's one way to do it, using a dissector table. Say you have two dissectors, foo, and subfoo. First, in your main dissector (foo, the one that identifies the type of packet):

static dissector_table_t foo_dissector_table = NULL; /* declare dissector table */

static void dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree tree)
{
guint8 data_type = 0;
gboolean subdissector_found = FALSE;
/ dissection logic goes here /
data_type = tvb_get_guint8(tvb, 0);
subdissector_found = dissector_try_port(
foo_dissector_table,
data_type,
tvb, pinfo, tree);
if(subdissector_found == FALSE)
{
/ note that the data is undecoded for the data type */
}
}


void proto_register_foo(void)
{
/* Your registration code */
foo_dissector_table = register_dissector table(
"foo.data_type",       /* field filter name, as described in hf_* structure */
"the data type field", /* description of field */
FT_UINT8,              /* data type */
BASE_DEC               /* display base */
);
}

Then, in your other dissectors (subfoo, and any other dissectors that further decode your protocol), register against this table like so:

void proto_regist_subfoo(void)
{
/* create a dissector handle for subfoo */
subfoo_handle = create_dissector_handle(
dissect_subfoo, /*the dissection function */
proto_subfoo); /* previously initialized with proto_register_protocol)
}


void proto_reg_handoff_subfoo(void)
{
/* other reg_handoff tasks */
dissector_add("foo.data_type",
data_type_value_for_subfoo, /* guint8 value of foo.data_type identifying subfoo */
subfoo_handle /* initialized in proto_register_subfoo */
);
}

You’ll probably wan’t to provide a subset of tvb rather than the whole thing in dissect_foo when using dissector_try_port, but that is up to you.

answered 15 Jul ‘11, 07:40

multipleinterfaces's gravatar image

multipleinte…
1.3k152340
accept rate: 12%

edited 15 Jul ‘11, 07:57