This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Server Based Application Dissectors

0

Hello, My co-worker and I are tasked with building dissectors for our firms protocols. My coworker is doing the coding. He has the development build installed We assign a port range to each of our customers. From which they can access multiple applications residing on multiple servers. These protocols are either tcp or udp. Meaning the dissectors need to be created based on an IP range and a Port Range.
I know this is not a supported function of WS, but does anyone have an idea on how to work around this to create these Server Based Application Dissectors?

thanks Steve

This question is marked "community wiki".

asked 20 May '16, 07:13

steve_merc's gravatar image

steve_merc
6446
accept rate: 0%

edited 20 May '16, 07:14

1

Not sure I quite understand the issue here. Are you saying that the protocols used depend on both IP and port?

Do the protocols have any magic identifiers so that they could be used heuristically? If so, then you don't need to register per port, just heuristically and check the traffic and return 0 if not your protocol.

(20 May '16, 07:54) grahamb ♦
1

Can the PDUs of these protocols be identified based on their contents as well, particularly the first couple of bytes? Then you could go the route of heuristic dissectors, which can get all packets of your particular transport (TCP, UDP, etc) and can then determine if it's their protocol.

(20 May '16, 07:54) Jaap ♦

Grahamb, Yes these are based on both IP and Port. Each customer is assigned a range of tcp 30 Ports to access multiple applications residing on different servers. I was mistaken this would be only for TCP traffic. Our UDP is outbound to customers on a specific port per application (much easier)!

JAAP, There is not always the same data after the TCP header. IE FIX or our proprietary session management protocol (which has many child apps under it)... I think what you are saying to instead of defining them by the app server ip, to build dissectors for each child of TCP. If so, since they would be using a non standard port range, is it possible to define a port range? ty Steve

(20 May '16, 08:18) steve_merc

One Answer:

1

@steve_merc,

Your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information.

Dissectors can register for a port range, see README.dissector section 1.7.1 and the dissector_add_uint_range() registration call.

I'm still of a mind that using a heuristic approach would be easier though.

answered 20 May '16, 08:35

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%