Hello, I am debugging our system composed of two TCP/IP stations that use a private protocol over TCP. The protocol message formats are well documented. I would like to "teach" (or customize) wireshark so that it can display these messages according to the message formats. ( I do not know if you call it: dissect/decode /parse). Is it possible and how? PS: I have successfully used filters by searching specific opcode inside our TCP payload data. But this only allows to filetr our messages from all the network activity. Still the TCP payload data appears as a raw Hexadecimal bytes, while I do have the information of how to interpret it. asked 21 Nov '10, 01:46 ShlomoAms |
One Answer:
Yes, you can decode your private protocol, you just have to develop your own dissector. Best place to start is reading wireshark dev guide Then, read README documents in ./wireshark/doc directory, especially README.developer Last, look at some protocol dissectors over TCP in ./wireshark/epan/dissectors (packet-bgp.c for instance). Dissectors are usually written in C, it's also possible to write them in Lua for fast prototyping. answered 21 Nov '10, 03:10 manux |