This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Adding a new protocol to Wireshark

0
1

I'm currently working with the Wireshark source on Linux to develop a few dissectors for different protocols (MAVLINK being the one in question). The only way I know of at the moment to get MAVLINK packets to display in Wireshark is to capture raw data with a serial port logger, then import that into Wireshark as Raw USB packets. It would be very useful to be able to do a live capture (specifically on a serial port), but I can't seem to find any useful information on adding a new protocol Wireshark. And I don't mean a dissector--I mean Wireshark knowing how to separate the data into distinct packets (not dissecting the packets themselves). I can't capture MAVLINK packets directly because Wireshark doesn't recognize the MAVLINK protocol.

Anyways, if there's any way I can do this on my own with the Wireshark source code, I'd be very interested. Thanks for any assistance.

-Paul

asked 16 Jul '12, 05:10

avidspartan1's gravatar image

avidspartan1
6123
accept rate: 0%

hi pal,

you can find lots of stuff about being a wireshark developer in wireshark/doc.

(16 Jul '12, 05:38) ltgao

Yes, I've scoured the Wireshark developer guide for anything on adding new protocols to Wireshark. All I can come up with is to ask the Wireshark team to add it themselves. Thanks, though.

(16 Jul '12, 05:40) avidspartan1

2 Answers:

4

Paul,

There are three parts involved:

  1. Firstly if you want to be able to capture to the live data, you need a way of getting it of the wire (or from the ether). What type of "physical" links are involved? You say something about serial, but I also see reference to UDP and WiFi. In Wireshark, libpcap (and WinPcap when using windows) is responsible for getting the data of the wire(less). So you will need to enhance libpcap (and WinPcap) to be able to capture your traffic. This may involve requesting new Link Layer types. See the libpcap mailing lists for more details.

  2. Secondly you want to be able to read in your file format (when you are not using the libpcap fileformat. This is done by the wiretap library. Have a look at the different file reading routines in the wiretap/ directory. However, if you implemented 1), then you can just use the normal libpcap reading functions of Wireshark without having to write a module that can read your files.

  3. Last but certainly not least, you will need to write a dissector that is capable of dissecting your packets. But I believe you have already found enough information on that part of the journey :-)

I hope this helps you on your way!

answered 16 Jul '12, 05:58

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 16 Jul '12, 05:59

Ah, very helpful--thank you. In my research (and what little I did find), I came across something about asking for a new Link Layer type, but I didn't know that I actually needed to change/enhance libpcap, not really Wireshark itself. I may go with the second option, though, since I have experience with compiling/testing the Wireshark source (and not so much with libpcap).

And yes, I have written a dissector. Just need to get the data coming directly into Wireshark.

Thanks again for your help!

(16 Jul '12, 06:02) avidspartan1

1

please take a look at this answer:

http://ask.wireshark.org/questions/12102/logging-can-bus-data-to-ws-in-windows

Similar problem. Please read the article about WSbridge (linked in the answer)!

Regards
Kurt

answered 16 Jul '12, 05:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 Jul '12, 05:55

I do have the Linux build, so I can capture on USB devices with usbmon. And I do have a similar problem, though my problem is still that Wireshark doesn't know anything about this protocol (MAVLINK), so it doesn't know how to separate the data into packets for display. While this data is coming in over USB (a radio hooked up to a USB port), it doesn't use any conventional USB encapsulation types (if that's the right term) for packets. Sorry, I should've made that clearer.

(16 Jul '12, 05:57) avidspartan1
1

WSbridge does (basically) what SYN-Bit suggested. It reads from the serial port and writes output in libpcap format. This output is then written to a pipe from which wireshark reads. Maybe you can learn something from the WSbridge code or even reuse parts of it. However, you need to write your own dissector. This is not part of WSbridge, as they just needed a different way to read IEEE 802.15.4 data. The IEEE 802.15.4 dissector was already there.

(16 Jul '12, 07:24) Kurt Knochner ♦

Taking a look at that now--modifying pcap/wtap looks pretty complex.

(16 Jul '12, 08:01) avidspartan1

If you're just adding a new link-layer header type for pcap (and pcap-ng, which uses the same types), it's probably not as hard as it looks. You'd get the type defined (by email to [email protected] - put a detailed layout of the headers in the mail!) and get a LINKTYPE_ value assigned. Then add a new WTAP_ENCAP_ value for it, add an entry to the pcap_to_wtap_map[] mapping in wiretap/pcap-common.c, and add a dissector that registers in the wtap_encap table for that WTAP_ENCAP_ value.

(16 Jul '12, 12:20) Guy Harris ♦♦