This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to write a dissector for a protocol that runs on top of TCP?

0
void
proto_reg_handoff_foo(void)
{
    static dissector_handle_t foo_handle;

foo_handle = create_dissector_handle(dissect_foo, proto_foo);
dissector_add_uint("udp.port", FOO_PORT, foo_handle);



}

Here, shall i change “udp.port” as “tcp.port” for my tcp based application layer protocol dissector?

asked 11 Nov ‘11, 17:27

JK7's gravatar image

JK7
31111214
accept rate: 0%

edited 12 Nov ‘11, 13:29

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

2 Answers:

0

Yes, that should be all that's required.

answered 12 Nov '11, 00:07

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

0

UDP is a packet-oriented protocol, so packets for a protocol running atop UDP usually have a one-to-one correspondence with UDP packets.

TCP is a byte-stream oriented protocol, so packets for a protocol running atop TCP have to put their own packet boundaries into the byte stream, with, for example, a packet size field.

Dissectors for protocols running atop TCP just get handed TCP segment data, with no guarantee that they're being handed exactly one packet or that they're being handed all of the data in a packet. The dissector would have to handle that itself.

Depending on how your protocol does that, you might, for example, be able to use tcp_dissect_pdus() to do all the work. How does your protocol divide the byte stream into packets.

answered 12 Nov '11, 13:27

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I think the OP is asking the question as the Developers Guide shows the "FOO" dissector as running atop UDP as per the example the OP has posted.

Your points are all worth noting though.

(12 Nov '11, 14:44) grahamb ♦