TechQA.

How can I write a wirechark dissector where the format of the packet depends upon a field in the packet?

165 views Asked by At

I am writing a Wireshark dissector for a custom protocol. The protocol is as follows: The first 3 bits of the packet defines how the rest of the packet is constructed. For example, if these 3 bits are 00, the remainder of the packet is a 6-bit field followed by 2 byte fields. If the leading 3 bit is 01, the remainder of the packet is a 14-bit field followed by a byte field. I have successfully dissected the leading 2-bit field (which I've called hf_format). In the dissector function, My code does this at the moment:

proto_tree_add_item( ..hf_format...);
if(hf_format==0)
{
   proto_tree_add_item( ..6-bit field...);
   proto_tree_add_item( ..first byte field...);
   proto_tree_add_item( ..second byte field...); 
}
else if (hf_format==1)
{
   proto_tree_add_item( ..14-bit field...);
   proto_tree_add_item( ..byte field...);
}
else  etc.

Wireshark correctly shows hf_format in the dissected packet, but the other fields are not dissected. Can you tell me what my error is? I have searched the web extensively and read every document I can find, including the official documentation, but haven't found anything enlightening on the matter.

wireshark wireshark-dissector
Original Q&A
1

There are 1 answers

1
Christopher Maynard On

The first 3 bits of the packet defines how the rest of the packet is constructed.
I assume this is a typo and you meant The first 2 bits ...?

Somewhere before/after proto_tree_add_item( ..hf_format...);, you have to actually read at least the 1st byte from the tvb so you can test the 2 relevant upper bits of that byte. Perhaps you are doing that, but it's not shown in the pseudo-code provided. For example:

guint8 format = (tvb_get_guint8(tvb, 1) & 0xc0) >> 6;
proto_tree_add_item( ..hf_format...);
if(format==0)
{
   proto_tree_add_item( ..6-bit field...);
   proto_tree_add_item( ..first byte field...);
   proto_tree_add_item( ..second byte field...); 
}
else if (format==1)
{
   proto_tree_add_item( ..14-bit field...);
   proto_tree_add_item( ..byte field...);
}
else  etc.

The Wireshark Developer's Guide provides some additional help here, but it refers you to the doc/README.dissector file for even more information, and that would be my recommendation as well. There are other useful README's as well, such as doc/README.developer, etc.

Related Questions in WIRESHARK

Related Questions in WIRESHARK-DISSECTOR

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions