wireshark插件无法显示详细信息

时间:2017-12-21 00:33:43

标签: wireshark-dissector

我们开发软件,协议使用标准pdcp,但在标准pdcp协议之前添加44字节自定义数据。
我写了一个wireshark插件来解析包,忽略头44字节自定义数据,解析其他数据使用wireshark pdcp解析器。代码清单如下:

static gint ett_dtmpdcp = -1;
static gint hf_sdtprot_pdu_Msg_Content_None
static hf_register_info hf[] = {
    { &hf_sdtprot_pdu_Msg_Content_None,
        { " ", "dtmpdcp.none",
        FT_NONE, BASE_NONE,
        NULL, 0x0,
        NULL, HFILL }
    }
};

static gint *ett[] = { 
    &ett_dtmpdcp
};

int packet_parse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset)
{
    int item_offset = 44;    //ignore head 44 bytes custom data

    gint16 pdu_len = tvb_reported_length(tvb);

    proto_item * pdcp_item = proto_tree_add_item(tree, proto_dtmpdcp, tvb, 0, -1, ENC_NA);
    proto_item_append_text(pdcp_item, ",PDU len : %-05u", pdu_len);

    proto_tree * subtree = proto_item_add_subtree(pdcp_item, ett_dtmpdcp);
    offset += item_offset;

    //use wireshark pdcp dissector,wireshark register pdcp-lte dissector in packet_pdcp_lte.c file
    dissector_handle_t handle = find_dissector("pdcp-lte");  

    if(handle)
    {
        tvbuff_t* next_tvb = tvb_new_subset(tvb, offset, -1, pdu_len - item_offset);
        if(next_tvb)
        {
            call_dissector(handle, next_tvb, pinfo, subtree);
            //tvb_free(next_tvb);
        }
    }

    return 0;
}

const char *c_proto_string = "DTM-PDCP";

static void
dissect_dtmpdcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
    col_set_str(pinfo->cinfo, COL_PROTOCOL,  c_proto_string);
    col_clear(pinfo->cinfo,COL_INFO);

    if (tree)
    {
        gint offset = 0;

        do
        {
            offset = packet_parse(tvb, pinfo, tree, offset);
        } while(offset > 0);
    }
}

void proto_register_dtmpdcp(void)
{
    module_t *sdtpprot_module;

    proto_dtmpdcp = proto_register_protocol("PDCP DTM",  /* name       */
        "a-pdcp", /* short name */
        "a-pdcp"  /* abbrev     */
        );

    proto_register_field_array(proto_dtmpdcp, hf, array_length(hf));
    proto_register_subtree_array(ett, array_length(ett));

    sdtpprot_module = prefs_register_protocol(proto_dtmpdcp, NULL);

    prefs_register_bool_preference(sdtpprot_module, "desegment",
        "Desegment all dtm-pdcp messages spanning multiple TCP segments",
        "Whether the dtm-pdcp dissector should desegment all messages spanning multiple TCP segments",
        &sdtpprot_desegment);
}

void proto_reg_handoff_dtmpdcp(void)
{
    dissector_handle_t dtmpdcp_handle;
    int port = 20000;

    dtmpdcp_handle = create_dissector_handle(dissect_dtmpdcp, proto_dtmpdcp);
    dissector_add_uint("udp.port", port, dtmpdcp_handle);
}

当使用此插件进行解剖器包时,wireshark UI不显示pdcp协议详细信息: PDCP parse

代码有什么问题?
非常感谢!

1 个答案:

答案 0 :(得分:0)

我首先要删除if (tree)中的dissect_dtmpdcp()签到。来自README.dissector

In the interest of speed, if "tree" is NULL, avoid building a
protocol tree and adding stuff to it, or even looking at any packet
data needed only if you're building the protocol tree, if possible.

Note, however, that you must fill in column information, create
conversations, reassemble packets, do calls to "expert" functions,
build any other persistent state needed for dissection, and call
subdissectors regardless of whether "tree" is NULL or not.

This might be inconvenient to do without doing most of the
dissection work; the routines for adding items to the protocol tree
can be passed a null protocol tree pointer, in which case they'll
return a null item pointer, and "proto_item_add_subtree()" returns
a null tree pointer if passed a null item pointer, so, if you're
careful not to dereference any null tree or item pointers, you can
accomplish this by doing all the dissection work.  This might not
be as efficient as skipping that work if you're not building a
protocol tree, but if the code would have a lot of tests whether
"tree" is null if you skipped that work, you might still be better
off just doing all that work regardless of whether "tree" is null
or not.

Note also that there is no guarantee, the first time the dissector is
called, whether "tree" will be null or not; your dissector must work
correctly, building or updating whatever state information is
necessary, in either case.

根据我的经验,添加支票通常弊大于利。

我还建议您检查一个有效的Wireshark解剖器,例如packet-catapult-dct2000.c,并相应地修改您的解剖器。

例如:

static dissector_handle_t pdcp_lte_handle;

int packet_parse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset)
{
    ...
    if (pdcp_lte_handle)
    {
        tvbuff_t* next_tvb = tvb_new_subset_remaining(tvb, offset);
        if (next_tvb)
            call_dissector(pdcp_lte_handle, next_tvb, pinfo, subtree);
    }
}

void proto_reg_handoff_dtmpdcp(void)
{
    ...
    pdcp_lte_handle = find_dissector("pdcp-lte");
    ...
}

如果这不能解决您的问题,您可能需要在某处发布样本捕获文件(cloudshark,dropbox等),以便更好地为您提供帮助。