This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to create multiple dissectors for same port number

0

Hi, I am trying to create wireshark dissectors in Lua for different types of packets. All these packets work on the same port number. My issue is that when I added the dissectors to init.lua and opened wireshark, some of the dissectors in Wireshark stopped working altogether. If I only add one of the dissectors in Wireshark, it works fine, but if I try to add multiple dissectors, only some dissectors work, the others stop working altogether. Please let me know what can be done in this regards. I know that I can create a huge dissector that can dissect all these packets but then I will lose the functionality of filtering based on a particular packet type or attribute of a packet type. Thanks.

asked 13 Jul '16, 11:32

shobhit_garg91's gravatar image

shobhit_garg91
169914
accept rate: 0%


One Answer:

1

How do you tell the different types of packets apart? Are these packet types different protocols or just different types of packets within the same protocol? If the latter then you really should just have one big dissector for that protocol. You shouldn't lose any filtering functionality by doing that--worst case the filters are a little longer.

If these really are different protocols then you fundamentally have 2 options:

  1. Create a "base" dissector that registers for the common port number and then looks at each packet and chooses which of the other dissectors to call for that packet
  2. (or) create several heuristic dissectors (see the Lua function register_heuristic()) which look at each packet and either accept (and dissect) the packet or tell wireshark "That's not my protocol" so Wireshark will try another of the heuristic dissectors.

answered 13 Jul '16, 12:13

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Hi, all my packets have certain fields at certain locations that have a fixed value, these parameters enable me to identify one message from the other. I cannot use heuristic dissectors because it may cause my packet to be identified incorrectly. I am thinking of creating a single dissector that dissects out the packet based upon its type. This would help in applying the filters easily. Please let me know if there are any known drawbacks of using a single large dissector as opposed to creating multiple smaller dissectors and a generic dissector such that the generic dissector decides the type of packet and sends the packet to the corresponding smaller dissector. Also I don't understand why multiple dissectors with the same port number don't work in Wireshark. When I added the first three small dissectors having the same port no to init.lua and opened wireshark, everything worked fine, but when I added the fourth dissector, then couple of these dissectors stopped working altogether. Thanks for your help.

(13 Jul '16, 13:05) shobhit_garg91

Heuristic dissectors work by being able to identify whether the packet looks like the dissector's protocol or not--it sounds like that's the case here (you mentioned that certain locations have fixed values--that makes for a very good heuristic). They just have to do that check before starting dissection of the packet.

I'm not sure why it would work with 3 dissectors registered on the same port. I'd expect that only one of the dissectors would ever be called in that case.

Are these packets part of the same protocol or different protocols? Knowing that would make the best direction clearer...

(13 Jul '16, 14:36) JeffMorriss ♦

Hi Jeff, sorry for the delayed reply. They are different protocols. I am not sure why the 3 different dissectors registered on the same port number worked fine. I cannot use heuristic dissectors since there is a possibility of the packet being dissected incorrectly which I cannot afford to. I'd rather let the dissectors fail instead. For now I have created a single dissector which dissects the packets based on there type. I am having another issue though now. The details of that can be found at https://ask.wireshark.org/questions/54141/how-to-read-input-from-user-for-a-wireshark-dissector

Thanks again for the help.

(18 Jul '16, 13:10) shobhit_garg91

You're welcome. If an answer has answered your question, please be sure to Accept it by clicking the little checkmark next to the answer. That way the question won't show in the list of unanswered questions--among other things (see the FAQ).

(18 Jul '16, 13:26) JeffMorriss ♦