Re: [Wireshark-dev] Dissector for a custom protocol which starts as HTTP
Does your protocol use an Upgrade header? If so, you can register with the http.upgrade dissector table. Search also for "upgrade" in https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-http.c Once control is handed to http, I don't think you can change it. Protocols like SMTP that use STARTTLS do something like this: - Protocol starts being decoded as SMTP - SMTP signals STARTTLS, so SMTP calls into the TLS dissector to let it know that everything after this packet is TLS with SMTP embedded. - Due to that call TLS becomes the conversation dissector, but because it had a special case for detecting where TLS actually starts, it will reject earlier traffic, giving others a chance to handle it. See "last_nontls_frame" in https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-tls.c https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-tls-utils.c Kind regards, Peter https://lekensteyn.nl (pardon my brevity, top-posting and formatting, sent from my phone) On April 16, 2019 10:20:46 PM GMT+01:00, David Ameiss wrote: >I've developed a dissector for a custom protocol used by my company. >The >protocol starts out as HTTP, as in an HTTP GET, but after that uses the > >"custom" part - not HTTP at all. > >The problem I'm running into is that, once a conversation is identified > >by the HTTP dissector as being HTTP (due to the first message, which IS > >HTTP), it stays that way. My dissector isn't called. I've added my >dissector as a heuristic dissector for HTTP, but that doesn't seem to >help. And unfortunately (since subsequent packets are not HTTP) I don't > >have Content-Type to steer the packets my way. > >Subsequent packets appear as HTTP Continuation, BTW. > >Is there some way to tell HTTP not to treat following packets for that >conversation as HTTP, and to pass them to my dissector? Or a way to >call >the HTTP dissector (from my dissector) for the first packet WITHOUT it >being "marked" as HTTP forever and ever? > >-- >David Ameiss >netsh...@ameissnet.com >___ >Sent via:Wireshark-dev mailing list >Archives:https://www.wireshark.org/lists/wireshark-dev >Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Dissector for a custom protocol which starts as HTTP
Hello, in the Wireshark GUI did you try the "Decode As" functionality ? You get it in the right-clic on a packet (or in Analyze menu). You also can have a look at Analyze -> Enabled protocols. see : https://www.wireshark.org/docs/wsug_html_chunked/ChUseAnalyzeMenuSection.html Eugene Le mar. 16 avr. 2019 à 23:22, David Ameiss a écrit : > > I've developed a dissector for a custom protocol used by my company. The > protocol starts out as HTTP, as in an HTTP GET, but after that uses the > "custom" part - not HTTP at all. > > The problem I'm running into is that, once a conversation is identified > by the HTTP dissector as being HTTP (due to the first message, which IS > HTTP), it stays that way. My dissector isn't called. I've added my > dissector as a heuristic dissector for HTTP, but that doesn't seem to > help. And unfortunately (since subsequent packets are not HTTP) I don't > have Content-Type to steer the packets my way. > > Subsequent packets appear as HTTP Continuation, BTW. > > Is there some way to tell HTTP not to treat following packets for that > conversation as HTTP, and to pass them to my dissector? Or a way to call > the HTTP dissector (from my dissector) for the first packet WITHOUT it > being "marked" as HTTP forever and ever? > > -- > David Ameiss > netsh...@ameissnet.com > ___ > Sent via:Wireshark-dev mailing list > Archives:https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Dissector for a custom protocol which starts as HTTP
I've developed a dissector for a custom protocol used by my company. The protocol starts out as HTTP, as in an HTTP GET, but after that uses the "custom" part - not HTTP at all. The problem I'm running into is that, once a conversation is identified by the HTTP dissector as being HTTP (due to the first message, which IS HTTP), it stays that way. My dissector isn't called. I've added my dissector as a heuristic dissector for HTTP, but that doesn't seem to help. And unfortunately (since subsequent packets are not HTTP) I don't have Content-Type to steer the packets my way. Subsequent packets appear as HTTP Continuation, BTW. Is there some way to tell HTTP not to treat following packets for that conversation as HTTP, and to pass them to my dissector? Or a way to call the HTTP dissector (from my dissector) for the first packet WITHOUT it being "marked" as HTTP forever and ever? -- David Ameiss netsh...@ameissnet.com ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe