This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using Dissectors and Subdissectors

0

Hi all,

I have to write a Protcol-Analyzer, basing on TCP. The first Level is a company-specific Protocol which encapsulates several other company-specific protocols.

The first Level I have already implemented and it works. That means. The Data from TCP (lets call it Proto_One) I can analyze and make them viewable in the Tree. But next Step is to make the Data from (lets call it Proto_Two and Proto_Three) available for next dissector. Here is my Code which is not completely working:

File: packet-proton.c

void proto_reg_handoff_protone(void)
{
    dissector_handle_t protone_handle;

protone_handle = find_dissector("protone");
dissector_add_uint("tcp.port", global_protone_port, protone_handle);

data_handle = find_dissector("data");



}



File: packet-prottwo.c

void proto_reg_handoff_prottwo(void)
{
dissector_handle_t prottwo_handle;


prottwo_handle = find_dissector("protone");
dissector_add("protone.protid", 4710, prottwo_handle);

data_handle = find_dissector("data");



}



When I startup the WireShark on my Windows XP, I get the Error:
Runtime Error!
Program: C:\Programme\System\Wireshark\Wireshark.exe
This application has requestes the Runtime to terminate it in an unusual way.
Please contact the application’s support team for more information.

Best Regards
tjmaker



By the Way: I was trying to make the System debugable with my MSVS 2008 but it didn’t get it work.

asked 25 Oct ‘11, 07:57

tjamaker's gravatar image

tjamaker
1113
accept rate: 0%

edited 26 Feb ‘12, 21:30

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

2 Answers:

2

You'll have to create a sub dissector table in proto_register_protone(), like so:

register_dissector_table("protone.protid", ....

answered 25 Oct '11, 09:34

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks for the answer. No I got WireShark started. But the dissection still doesn't work.

I made these changes in packet-proton.c:

void proto_register_protone (void)
{
    ...

static hf_register_info hf[] =
{
    ...

    { &hf_protone_protId,
          { "Protocol Identifier", "protone.protId", 
                FT_UINT16, BASE_HEX, VALS(protocolIdTypeNames), 
                0x0, "Protocol Identifier", HFILL } },

    ...
};

/* subdissector code */
subdissector_table = register_dissector_table("protone.protid",
    "Protocol Identifier", FT_UINT16, BASE_HEX);
register_heur_dissector_list("protone", &heur_subdissector_list);

...



}

Do I really need the line with register_heur_dissector_list?


And these changes I made in packet-prottwo.c:

void proto_reg_handoff_prottwo(void)
{
dissector_handle_t prottwo_handle;


prottwo_handle = find_dissector("protone");
dissector_add("protone.protid", 0x1266, prottwo_handle);

data_handle = find_dissector("data");



}


Is there something else, I have to configure?
Is it working with 0x1266 or do I have to use 4710?

Best Regards
tjamaker

(25 Oct ‘11, 22:45) tjamaker

Do I really need the line with register_heur_dissector_list? Answer: No

prottwo_handle = find_dissector(“protone”); should be find_dissector(“prottwo”);

(26 Oct ‘11, 04:47) Jaap ♦

0

OK, now I got the MSVC++ 2088 EE running to be able to debug the code. And now I can detect, that in my dissect_protone the call_dissector is called but it never appears in dissect_prottwo.

static void dissect_wagosp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
    ...

if (length_remaining != 0) 
{
    tvbuff_t *next_tvb;
    next_tvb = tvb_new_subset_remaining(tvb, offset);

    call_dissector(data_handle, next_tvb, pinfo, tree);
}

...



}

answered 26 Oct ‘11, 02:40

tjamaker's gravatar image

tjamaker
1113
accept rate: 0%

This won’t call your prottwo dissector. Use:

dissector_try_uint(subdissector_table, protid, next_tvb, pinfo, tree));

if protid == 0x1266 then it will be called.

(26 Oct ‘11, 04:49) Jaap ♦

THX, now it works !!!

(26 Oct ‘11, 04:55) tjamaker