This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to decode private protocol?

0

Hello, I am debugging our system composed of two TCP/IP stations that use a private protocol over TCP. The protocol message formats are well documented. I would like to "teach" (or customize) wireshark so that it can display these messages according to the message formats. ( I do not know if you call it: dissect/decode /parse). Is it possible and how?

PS: I have successfully used filters by searching specific opcode inside our TCP payload data. But this only allows to filetr our messages from all the network activity. Still the TCP payload data appears as a raw Hexadecimal bytes, while I do have the information of how to interpret it.

asked 21 Nov '10, 01:46

ShlomoAms's gravatar image

ShlomoAms
1111
accept rate: 0%


One Answer:

1

Yes, you can decode your private protocol, you just have to develop your own dissector.

Best place to start is reading wireshark dev guide

Then, read README documents in ./wireshark/doc directory, especially README.developer

Last, look at some protocol dissectors over TCP in ./wireshark/epan/dissectors (packet-bgp.c for instance).

Dissectors are usually written in C, it's also possible to write them in Lua for fast prototyping.

answered 21 Nov '10, 03:10

manux's gravatar image

manux
162
accept rate: 0%