This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to use dissector not in “decode as”

0
1

I have made a custom dissector but do not know how to use it in wireshark.
It appears that it should work, as I am able to type it into the filter bar and it turns green. However, it is not listed in the "decode as" menu, therefore I do not know of anyway to use it.

Is there a way to add this custom dissector to the decode as menu or simply use it some other way?

asked 18 Jul '12, 08:48

bball2601's gravatar image

bball2601
16567
accept rate: 50%


One Answer:

0

You should read README.developer, which shows you how to add your dissector to another dissector's table similar to this:

void proto_reg_handoff_myproto(void)
{
    //...
    dissector_add_uint("tcp.port", myport, myproto_handle);
    //...
}

...where myproto is your protocol's abbreviation. The above assumes your protocol is built on top of another. If your protocol is supposed to be the lowest-level protocol, you may need more code.

Also note that your dissector may not be automatically added to the "Decode As..." menu (see here).

answered 18 Jul '12, 10:31

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

1

It's also possible to use dissector_add_handle("tcp.port", myproto_handle); instead of dissector_add_uint(...); if you want your protocol accessible only in the "decode as" menu.

Look at proto_reg_handoff...(){...} in various dissectors in epan/dissectors for examples.

(18 Jul '12, 10:57) Bill Meier ♦♦

I tried the dissector_add_uint method, but my dissector only decodes a few UDP packets rather than all of them. Also wouldnt this method only decode UDP packets that use the same source port as "myport"?
What would I have to do to have it decode any UDP packet, regardless of the ports?

(23 Jul '12, 08:14) bball2601

wouldnt this method only decode UDP packets that use the same source port as "myport"? yes (well source or dest port and the port can be made a preference.)

You could try a heuristic dissector but that means that your dissector will have to "look at" a number of bytes in the packet and determine if it's your protocol or not.

(23 Jul '12, 08:54) Anders ♦