This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

can’t dissect the tcp payload!

0

i'am working on a project, that is "dissecting capture packets using libwireshark"

my code successfully dissected till tcp header but it cant dissect further the payload..the underlying protocol.

how to do that.. any help!

thanks!

asked 30 Jan '12, 03:38

Sanny_D's gravatar image

Sanny_D
0182021
accept rate: 50%


One Answer:

0

Register you dissector with the TCP dissectors port table, like do:

dissector_add_uint("tcp.port", currentPort, PROTOABBREV_handle);

Or, if there's no port relation, register your dissector as heuristic dissector, like so:

heur_dissector_add("tcp", dissect_PROTOABBREV, proto_PROTOABBREV);

All this can be found in doc/README.developer and doc/README.heuristic.

answered 30 Jan '12, 03:55

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

thanks! but..i am not writing the dissector, just used epan_dissect_run() on the packet, but wireshark is not dissecting further down... :-|

(30 Jan '12, 04:17) Sanny_D

What should it dissect then further down? What protocol are you referring too? Is that dissector registered and/or configured properly?

(30 Jan '12, 06:59) Jaap ♦

Diameter protocol..rfc 3588

after tcp header it just prints.. proto-"data", and hex dump of the diameter message

its not showing the AVPS in the message.. thanks!

(30 Jan '12, 09:54) Sanny_D

Is that dissector registered and/or configured properly?

(30 Jan '12, 11:22) Jaap ♦

yes.. during the epan initialization i registered that protocol using "register all protocols" and in that callback register_diameter function is there.

version wireshark 1.6.4 with tha patch 39873.

(30 Jan '12, 19:36) Sanny_D

By default, ONLY TCP traffic to or from port 3868 will be dissected as Diameter traffic. What TCP ports is the traffic you're handing libwireshark going to and coming from?

(30 Jan '12, 22:25) Guy Harris ♦♦

Is that dissector configured properly?

(30 Jan '12, 22:48) Jaap ♦

thanks a ton! :)

wat if i want to change the default port for diameter :-/ wat i need to do ?

(30 Jan '12, 22:49) Sanny_D

Edit your Wireshark preference file (creating it if necessary) and change the "diameter.tcp.ports" preference to list the ports you want to be used as Diameter ports.

(30 Jan '12, 23:34) Guy Harris ♦♦

coudnt find the file in /share folder.. have no idea how to create it :-/ and dissector is dissecting diameter without using the xml dictionary :|

(31 Jan '12, 10:14) Sanny_D

I infer from the / in /share that this is a UN*X system of some sort; if so, the file is in the .wireshark subdirectory of your home directory.

If it's not using the XML dictionary, it's probably not finding the XML dictionary; it will look for it in whatever directory was configured as the "data file directory" when Wireshark was configured and built.

(31 Jan '12, 10:44) Guy Harris ♦♦

i have a client(port 5678) server(3668)

i have edited the preferences file diameter.tcp.ports=3000-7000

but still libwireshark is dissecting only the diameter traffic for port 3868.. if i change the port of server other than 3868... it doesnt dissect the diamter protocol

(02 Feb '12, 03:18) Sanny_D

Make sure to set 'diameter.desegment' to true, as well as 'tcp.desegment_tcp_streams'. Better yet, test your preferences with Wireshark first.

(02 Feb '12, 05:16) Jaap ♦

testing it with tshark does exactly what i want..

i set the preferences using prefs_set_pref(char *prefarg);

but when i use the same function in my code and set the port:4868 and print the preference file it shows that "diameter.tcp.ports:4868:

but still it dissecting the diameter protocol for only the 3868 (default port)

just cant figure out what is the problem

(02 Feb '12, 22:38) Sanny_D
showing 5 of 14 show 9 more comments