This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, I am debugging our system composed of two TCP/IP stations that use a private protocol over TCP. The protocol message formats are well documented. I would like to "teach" (or customize) wireshark so that it can display these messages according to the message formats. ( I do not know if you call it: dissect/decode /parse). Is it possible and how?

PS: I have successfully used filters by searching specific opcode inside our TCP payload data. But this only allows to filetr our messages from all the network activity. Still the TCP payload data appears as a raw Hexadecimal bytes, while I do have the information of how to interpret it.

asked 21 Nov '10, 01:46

ShlomoAms's gravatar image

ShlomoAms
1111
accept rate: 0%


Yes, you can decode your private protocol, you just have to develop your own dissector.

Best place to start is reading wireshark dev guide

Then, read README documents in ./wireshark/doc directory, especially README.developer

Last, look at some protocol dissectors over TCP in ./wireshark/epan/dissectors (packet-bgp.c for instance).

Dissectors are usually written in C, it's also possible to write them in Lua for fast prototyping.

permanent link

answered 21 Nov '10, 03:10

manux's gravatar image

manux
162
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×124
×89
×4
×1

question asked: 21 Nov '10, 01:46

question was seen: 23,694 times

last updated: 21 Nov '10, 03:10

p​o​w​e​r​e​d by O​S​Q​A