This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

dissector ip filter

Hi, I've written a dissector plugin to filter my protocolls. I've added dissector_add_uint("tcp.port", 5001, test_handle); to filter the port, but how can I add a filter of an ip adress? I tried something like dissector_add_string("ip.src", 127.0.0.1, test_handle); but this doesn't work. What is the correct way to add an ip to my dissector?

filter ip dissector

asked 07 Feb '12, 10:09

Nic
14●5●5●6
accept rate: 0%

One Answer:

(A dissector doesn't filter protocols, it dissects them. Presumably that's what you meant.)

Most dissector handoffs done with tables such as "tcp.port" use values that are also named protocol fields, in which case the convention is that the table name should be the same as the field name, but it is NOT the case that every named protocol field has a corresponding handoff table; there is, for example, no table named "ip.src", even though there's a field named "ip.src", so your dissector_add_string() call doesn't work.

If you mean that you only want your dissector called for traffic to and from port 5001 that is coming from a particular IP address, the only way to do that would be to make a heuristic dissector and have it check both pinfo->srcport and pinfo->dstport and reject the packet if neither of them have the value 5001 and also check whether pinfo->net_src is equal to the source address in question. (To do that, you could create a (static const) structure of type address, initialize its type value to AT_IPv4 or AT_IPV6 depending on whether it's an IPv4 or IPv6 address, initialize its len value to 4 or 16, and initialize its data value to point to an (const) array of bytes containing the raw bytes of the IP address, and then compare the addresses with CMP_ADDRESS(). Do NOT assume that the address is an IPv4 address! It could, for example, be an IPv6 address.)

answered 07 Feb '12, 20:06

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%