[Wireshark-dev] Capture TCP reassembled protocol
Hello Is it correct to assume that if my dissector use the tcp_dissect_pdus to reassemble my protocol, I have to start the capture before the TCP connection is established? I'm thinking that if I start the capture after the TCP reassembly module will call my getlength function with the first TCP segment it receives for my connection which my not correspond with an actual beginning of one of the protocol message (or maybe for that reason it will never call the getlength function). But I never noticed this problem before so I guess I'm missing something... Best regards Fabien ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] TCP reassembling
Hi I tried this static guint get_foo_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset) { guint length; length = tvb_get_letohl(tvb,offset+MPI_LENGTH_INDEX) + MPI_HEADER_SIZE; return length ; } But I get exactly the same result. The length returned is the same as before and seems correct to me... Thx Fabien Hi fab12, On Fri, Dec 09, 2011 at 08:25:12AM +0100, fa...@freesurf.fr wrote: Hello, I am having problem using the tcp_dissect_pdus and hope someone can help me here. The documentation seems pretty clear to me and I think I am doing what I am suppose to do: tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 20, get_foo_message_len, dissect_foo_packet); static guint get_foo_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset) { guint length; unsigned char lengthBytes[4]; tvb_memcpy(tvb, lengthBytes, offset+MPI_LENGTH_INDEX, MPI_LENGTH_SIZE/8); length = lengthBytes[0] + (lengthBytes[1]8) + (lengthBytes[2]16) + (lengthBytes[3]24) + MPI_HEADER_SIZE; return length; } Try to use tvb_get_ntohl or tvb_get_htonl. AFAIA you wanna read some kind of integer from raw data, am I right ? Unfortunaty when I open a capture file it is not working properly. When I attach to wireshark with a debugger I can see that the behavior is not the one I expect: 1. The debugger stop to a first frame which contains the beginning of a large message. I can see that my get_foo_message_len is called and returns the length of the complete message. 2. Then wireshark the process the next frame which contains the remaining of the message. I can see it calls get_foo_message_len. Is this normal? I don't think so and if it is what am I suppose to do since I can't retrieve the size of the message the second time. Best regards, Fabien PS: Sorry if this is a duplicate. I tried to send the question already yesterday but I can't see it in my outbox so I guess I misclicked... ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe -- Best regards, Andriy 0xBDDBDAE3 ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] TCP reassembling
I eventually figured it out. I was calling the tcp_dissect_pdus like this if (tree) /* we are being asked for details */ { tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 20, get_foo_message_len, dissect_foo_message); } When I remove the if tree it is working. So I moved the if tree test to the dissect_foo_message. Br Fabien Hi I tried this static guint get_foo_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset) { guint length; length = tvb_get_letohl(tvb,offset+MPI_LENGTH_INDEX) + MPI_HEADER_SIZE; return length ; } But I get exactly the same result. The length returned is the same as before and seems correct to me... Thx Fabien Hi fab12, On Fri, Dec 09, 2011 at 08:25:12AM +0100, fa...@freesurf.fr wrote: Hello, I am having problem using the tcp_dissect_pdus and hope someone can help me here. The documentation seems pretty clear to me and I think I am doing what I am suppose to do: tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 20, get_foo_message_len, dissect_foo_packet); static guint get_foo_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset) { guint length; unsigned char lengthBytes[4]; tvb_memcpy(tvb, lengthBytes, offset+MPI_LENGTH_INDEX, MPI_LENGTH_SIZE/8); length = lengthBytes[0] + (lengthBytes[1]8) + (lengthBytes[2]16) + (lengthBytes[3]24) + MPI_HEADER_SIZE; return length; } Try to use tvb_get_ntohl or tvb_get_htonl. AFAIA you wanna read some kind of integer from raw data, am I right ? Unfortunaty when I open a capture file it is not working properly. When I attach to wireshark with a debugger I can see that the behavior is not the one I expect: 1. The debugger stop to a first frame which contains the beginning of a large message. I can see that my get_foo_message_len is called and returns the length of the complete message. 2. Then wireshark the process the next frame which contains the remaining of the message. I can see it calls get_foo_message_len. Is this normal? I don't think so and if it is what am I suppose to do since I can't retrieve the size of the message the second time. Best regards, Fabien PS: Sorry if this is a duplicate. I tried to send the question already yesterday but I can't see it in my outbox so I guess I misclicked... ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe -- Best regards, Andriy 0xBDDBDAE3 ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] complex problem
Hello Marcel, I don't have the solution for your problem but I am basically doing the same kind of things as you in a plugin dissector. I do some reassembling probably not in a wireshark standard way and it seems to work though I think I should have the same problem as you. In my case the fragments of a given packet may be all in the same wireshark frame (most of the time) but not always. What I do is I manage a list of fragment descriptor. Each time I decode a fragment I create a new descriptor and save it to an ordered list. When I got the last fragment I do some reassembling. To avoid to create multiple descriptor for the same fragment I save the frame number in the descriptor (though I may have used the visited_flag). For some reason my dissector is only meant to be used from input .pcap file (not for realtime capture). I guess you also use .pcap file otherwise you would not have the problem. It would be useful to had an option in wireshark to request that each time a new capture file is loaded, it decodes each frame in sequence. Do wireshark experts thinks it would be too complex? I tend to think it is not since it merely means applying a filter after loading the file... Regards Fabien On Thu, 13 Oct 2011 11:40:01 +0200, Marcel Haas inf...@fh-worms.de wrote: Hey, maybe the problem isnt so complex to solve but its complex for me to explain. :) I have written my own reassemble code and it seems to work. But i have one big problem. If i set the filter and click apply, it works,because it goes trough every packet. And I get my reassemble msg after the packet but if now click at the reassemble packet there is now reassemble tvb. I know the reason for that cause he interpret every packet one on one Example: Filter is set click at Apply Packet: 1 -frag Packet: 2 -frag Packet: 3 -Reassemble (last frag) If i click at Packet 3 he interprets only packet 3. He doesnt see packet 1 2 and so he bulits now Reass Tvb. Maybe im calling my function at the worng position. Code: static void dissect_xxx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree){ ... if(tree){ ... } // Fragment Routine if(totalp 1){ frag_tvb =tvb_new_subset(tvb,offset2,-1,-1); // Get the TVB big_tvb=ListenElementEinfuegen(NeuesListenElement(snode,pnum,totalp,frag_tvb)); // Reass Function if (big_tvb) { // Reassembled Big_tvb != NULL col_append_str(pinfo-cinfo, COL_INFO, (Message Reassembled)); add_new_data_source(pinfo,big_tvb,Defrag TVB); // ADD new Data Source } else { // Not last packet of reassembled Short Message Big_tvb == NULL col_append_fstr(pinfo-cinfo, COL_INFO, (Message fragment %u), pnum); col_append_fstr(pinfo-cinfo, COL_INFO, (Frag: %u), pinfo-fd - num); col_append_fstr(pinfo-cinfo, COL_INFO, (Visit: %u), pinfo-fd-flags.visited); } } } I hope someone understand my problem and have a good idea/solution :) thx and regards Marcel ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe Hey Guys still haveing the same problem.. Nobody have an clue for me ?? Jeff was saying to put my code before if(tree) if i get i right.. but other dissectors use reassembling after if(tree) too. Maybe i can conrtol it by pinfo-fd-flags.visited ?? Regards Marcel ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Send info to plugin
Hello, Is there any way to send some information to a plugin dissector from the wireshark GUI interface? For instance using a wireshark menu to set some variable that will be accessible from the plugin. Or maybe it is possible to add a menu from the plugin? Thanks Fabien ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Send info to plugin
On Oct 7, 2011, at 1:19 AM, fa...@freesurf.fr wrote: Is there any way to send some information to a plugin dissector from the wireshark GUI interface? What sort of information? Typically a filename + Directory where the the plugin dissector would write some statistic information. For instance using a wireshark menu to set some variable that will be accessible from the plugin. As Anders suggested, you *can* give it global information through a preference setting. We should probably also add a notion of conversations available to dissectors at multiple layers (a notion more general than the current address-and-port-endpoint-pair notion, that can include multiple address layers, circuits for protocols that have a virtual circuit ID of some sort, and conversations at layers above the transport layer), and per-conversation settings as well, with Wireshark offering a GUI to let you select a conversation and set one or more of a set of dissector-specified parameters. Or maybe it is possible to add a menu from the plugin? A menu item to do what? I imagine a menu that would open a popup asking to enter the filename + directory. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Decompress Data
I have a example from my plugin if it may help: unsigned char Ip_Buffer[2000]; /* Get the buffer bytes to decompress */ tvb_memcpy(tvb, Ip_Buffer, (*bitoffset)/8,lgpdubit/8); /* * Decompress it: * Decompressed buffer is output in Op_Buffer, * size of the decompressed buffer (in bit in this case) in SizeInBits */ */ rc = decompress(Ip_Buffer, lgpdubit - ((8-bitnb) % 8), (Op_Buffer), O_SizeInBits); /* Now re-setup the tvb buffer to have the new data */ next_tvb = tvb_new_real_data(Op_Buffer, O_SizeInBits/8, O_SizeInBits/8); tvb_set_child_real_data_tvbuff(tvb, next_tvb); add_new_data_source(pInfoG, next_tvb, Decompressed Data); /* From here dissect next_tvb from offset 0 */ On Fri, 7 Oct 2011 13:51:13 +0400, Max Dmitrichenko dmitr...@gmail.com wrote: 2011/10/7 Marcel Haas inf...@fh-worms.de: And i have the next problem. Damn wireshark kick my ass :) I have some packets witch are compress witz zlib. I want to uncompress them. I read the dev-guid about transformed data but i dont have a clue. I were testing some stuff but with no good result. Can someone help me with that ? It is simple. 1) You have to know the size of decompressed data, e.g. in buffer_size variable. 2) Alloc the buffer of needed size for it using e.g. se_alloc, e.g. you have pointer to alloced buffer called buffer_ptr. 3) Decompress you data into that buffer. 4) call child_tvb = tvb_new_child_real_data(current_tvb, buffer_ptr, buffer_size, buffer_size); 5) call add_new_data_source(pinfo, child_tvb, Decompressed Data); 6*) Optionally you can dissect child_tvb as any usual TVB. In the GUI you'll get the decompressed data into another tab called Decompressed Data or any other name you provide in step 5. -- Max ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe hmm i dont get it at all .. my code looks like this : guint8 *buff; tvbuff_t *compress_tvb; int captured_size; captured_size=tvb_length_remaining(tvb, offset2); //I think that what u mean by 1 buff= g_malloc(captured_size); // step 2 ? compress_tvb=tvb_new_real_data(buff,captured_size,captured_size);// step 4 ? tvb_set_free_cb(compress_tvb,g_free); // step 4 ? tvb_set_child_real_data_tvbuff(tvb,compress_tvb); // step 4 ? add_new_data_source(pinfo,compress_tvb,Decompressed TVB); //step 5 ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Get capture file name
Hello I made a dissector that so far is used with capture file generated from traces by a protocol simulator. So it is not realtime ethernet sniffering. In the dissector I am gathering data from the read capture file to generate a new file with misc information. Now I need to name and save this file. So far I am using current date and hard coded default directory. It would be much more convenient to save it in the capture filename directory and name it after it. So my question is: is there a variable that contains the location and file name of the capture file? Thanks Fabien ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Access to column N° and time
Actually I meant how to access programmatically. Eventually I found pinfo-fd-num; and for the time pinfo-fd-rel_ts.secs pinfo-fd-rel_ts.nsecs fab12@... writes: How do I access to the value in the frame number first column in a listview? frame.number Same question for time column. Here are the available time display choices: frame.time frame.time_epoch frame.time_delta frame.time_delta_displayed frame.time_relative Also is it possible to change the value in the time column? If by value, you mean the format, then yes. The simplest way is probably through View - Time Display Format - ... But you can also change the format or even add multiple time formats in different columns if you want by adding new time columns through Edit - Preferences - Columns - ... ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Access to column N° and time
Hello all, I have some dummy questions for which I have not been able to find any answer on the web: How do I access to the value in the frame number first column in a listview? Same question for time column. Also is it possible to change the value in the time column? Thx for your help Fabien ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Set source column address
Hello, Is there a way to set the source address column? I tried something like col_append_fstr(pInfoG-cinfo, 2, sourceadd); and pInfoG-src.type=AT_OSI; pInfoG-src.len=1; pInfoG-src.data=sourceadd; But none work and I can't find any related info on the web about that Thx Fabien ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Reassembling tvbuff_t
Hi Anders, I'm not sure the regular reassembling algo presented in README is good for me because my fragment do not come in sequence. That is I can receive fragment of packet 2 between 2 fragment of packet 1. That is why I'm wondering if my algorithm below is correct and especially the way I use composite buffer. Is this the general spirit? /* Fragment receipt */ tvb_memcpy(tvb,data,offset,length) frag_buf=tvb_new_real_data(data,length,reported_length) Add frag_buf to global fragrment list /* Upon receiption of the last fragment */ pckt_buf=tvb_new_composite ( void ) For each frag_buf of same PDU in global fragrment list { tvb_composite_append(pckt_buf,frag_buf) } /* Then I call my dissector on the reassembled packet. */ tvb_set_child_real_data_tvbuff(tvb, next_tvb); add_new_data_source(pinfo, next_tvb, Complete PDU); MyDissector(next_tvb) /* Do I need to free next_tvp? */ free(next_tvb); Regards Fabien Hi, We have a reassembly API in ~/epan/reassemble.c see also the README files in ~/doc Regards Anders -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of fa...@freesurf.fr Sent: den 27 april 2011 13:38 To: wireshark-dev@wireshark.org Subject: [Wireshark-dev] Reassembling tvbuff_t Hi I am currently working on a dissector for some proprietary protocol and I need to do some reassembling of buffer. I am looking for information on how to handle tvbuff_t API. I have found this : http://wireshark.sourcearchive.com/documentation/1.0.0/tvbuff_8h_aa919b43fdba78f4be4a76aa274e6cce.html#aa919b43fdba78f4be4a76aa274e6cce which is useful but I'm not sure to understand it. With my protocol I am receiving packet in several fragment. The fragment header tells me if it is a head, tail or mid fragment packet. I am thinking processing as follows but I am not sure if it is the best way or even if it is correct: Upon reception of a fragment: I copy it in a new tvbuff_t and save it in some global list: tvb_memcpy(tvb,data,offset,length) frag_buf=tvb_new_real_data(data,length,reported_length) // what is reported_length by the way? // Is there a better way to make a buffer copy? Add frag_buf to global fragrment list Upon receiption of the last fragment pckt_buf=tvb_new_composite ( void ) For each frag_buf in global fragrment list { tvb_composite_append(pckt_buf,frag_buf) } // Then I call my dissector on the reassembled packet. Is this the general idea? Thx Fabien ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Reassembling tvbuff_t
Hi I am currently working on a dissector for some proprietary protocol and I need to do some reassembling of buffer. I am looking for information on how to handle tvbuff_t API. I have found this : http://wireshark.sourcearchive.com/documentation/1.0.0/tvbuff_8h_aa919b43fdba78f4be4a76aa274e6cce.html#aa919b43fdba78f4be4a76aa274e6cce which is useful but I'm not sure to understand it. With my protocol I am receiving packet in several fragment. The fragment header tells me if it is a head, tail or mid fragment packet. I am thinking processing as follows but I am not sure if it is the best way or even if it is correct: Upon reception of a fragment: I copy it in a new tvbuff_t and save it in some global list: tvb_memcpy(tvb,data,offset,length) frag_buf=tvb_new_real_data(data,length,reported_length) // what is reported_length by the way? // Is there a better way to make a buffer copy? Add frag_buf to global fragrment list Upon receiption of the last fragment pckt_buf=tvb_new_composite ( void ) For each frag_buf in global fragrment list { tvb_composite_append(pckt_buf,frag_buf) } // Then I call my dissector on the reassembled packet. Is this the general idea? Thx Fabien ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe