This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I've previously created a dissectors where the message had a constant format. Now I have the following case:

A message sent over UDP with some header. The data of the message is contained with many sub messages which contains headers and data. Now this sub messages can be in any order inside the original big message. for example:

IP - UDP - big message header - sub message A - sub message B - sub message C    
IP - UDP - big message header - sub message C - sub message A - sub message B

The common of this sub messages is that they can be identified by a header (which is in common format for all, except some message id).

The order of those sub messages is unknown, the length of each sub message is varying. The length of the the big message is varying, but can be evaluated from the big message header.

What is the best way to create a dissector for this? Any code example for this would be great.

Thank you!

asked 27 Jul '17, 22:19

BMWE's gravatar image

BMWE
467811
accept rate: 100%

edited 28 Jul '17, 01:40

sindy's gravatar image

sindy
6.0k4851


The way you put it, the structure of your protocol is similar to many others (e.g., ISUP or Q.931) where the "big message" is the protocol message and the "submessages" inside it are called "information elements", often in Type-Length-Value structure, although sometimes the length and even the type is implicit (i.e. some types have fixed lengths and some types have fixed positions in the big message).

Well-written dissectors of such protocols are future-proof in terms that they create their own dissector table indexed by "type", so if some information elements (submessages) are added in future, it is enough to write a dissector for that particular submessage and place a reference to it into the basic dissector's dissector table, while information element types for which no row exists in the dissector table are handled by the basic dissector. But it is questionnable whether such aproach makes any sense for a Lua dissector.

Other than that, it is just a boring routine of parsing the contents of the big message submessage by submessage, taking into account their length, and calling a corresponding function to handle each submessage (consulting the dissector table first if you want to implement the approach mentioned above). If the last byte of last submessage is not the last byte of payload of the big message, something went wrong and you should report a malformed message.

permanent link

answered 28 Jul '17, 01:28

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×431

question asked: 27 Jul '17, 22:19

question was seen: 658 times

last updated: 28 Jul '17, 01:40

p​o​w​e​r​e​d by O​S​Q​A