This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t apply/use “obscure” protocol decoder (DirectPlay)

0

I'm trying to debug the DirectPlay protocol used by some old DirectX games (https://wiki.wireshark.org/DPlay).

Neither my own capture, nor the example capture on the link above, is identified as anything other than generic UDP by Wireshark.

I've checked that the DPLAY protocol is enabled (Analyze -> Enabled Protocols).

When trying to bypass the heuristic protocol detection and manually choose the DPLAY decoder ("Decode As..."), I cannot even find DPLAY in the list of available decoders.

I've tried all this in Wireshark 1.12 as well as 2.0.4; same results.

Had a brief look at packet-dplay.c in the Wireshark source, but I'm not very skilled at C++ nor am I familiar with Wireshark's internals at all, so that didn't give me any clues, unfortunately.

What could be the reason for not being able to "Decode As" DPLAY?

asked 21 Aug '16, 10:04

Sheancell's gravatar image

Sheancell
6112
accept rate: 0%

One Answer:

0

Probably the heuristics fail to classify these packets as DPlay. This is the relevant code, where tvb contains the packet data and is called for every packet. Either it calls the dissection functions and returns TRUE or returns FALSE. You can read the packet data and deduce how the heuristics fail.

1123 static gboolean heur_dissect_dplay(tvbuff_t tvb, packet_info pinfo, proto_tree tree, void data U)
1124 {
1125     guint32 dplay_id, token;
1126 
1127     if(tvb_captured_length(tvb) < 25)
1128         return FALSE;
1129 
1130     / The string play = 0x706c6179 /
1131     dplay_id = tvb_get_letohl(tvb, 20);
1132     if( dplay_id == 0x706c6179) {
1133         dissect_dplay(tvb, pinfo, tree);
1134         return TRUE;
1135     }
1136 
1137 
1138     / There is a player to player message that does not contain "play" /
1139     token = tvb_get_letohl(tvb, 0);
1140     token = (token & 0xfff00000) >> 20;
1141     if (token == 0xfab || token == 0xbab || token == 0xcab) {
1142       / Check the s_addr_in structure /
1143       if (tvb_get_letohs(tvb, 4) == WINSOCK_AF_INET) {
1144         int offset;
1145         for (offset = 12; offset <= 20; offset++)
1146           if (tvb_get_guint8(tvb, offset) != 0)
1147             return FALSE;
1148 
1149         dissect_dplay_player_msg(tvb, pinfo, tree);
1150         return TRUE;
1151       }
1152     }
1153 
1154     return FALSE;
1155 }

answered 21 Aug '16, 12:04

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%