This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can plugins be written to analyse an existing protocol’s header more deeply?

0

Hi! I want to add a module to the wireshark source to extract more details from the Options field of the tcp header and display them. I found out elsewhere that I need to edit ip_tcp_opt structure of the ip_opts header file in the epan folder. However, I would prefer a plugin that does the the same. I have been going through the READMEs, and from what little I've understood, plugins can be written for new dissectors. But I don't understand if one is allowed to write plugin that further analyse the fields of a protocol for which a dissector already exits. I'm very new to wireshark development, so can anyone please tell me if it should be possible?

asked 25 Jul '12, 22:06

SidR's gravatar image

SidR
245121722
accept rate: 30%

edited 05 Nov '12, 08:31


2 Answers:

1

Maybe you can also use a Postdissector, written in Lua.

http://wiki.wireshark.org/Lua/Dissectors

Cite: A postdissector is a dissector registered to be called after every other dissector has been called already. These are handy as all protocol fields are already there so they can be accessed and they can add items to the dissection tree.

Regards
Kurt

answered 26 Jul '12, 09:00

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 26 Jul '12, 09:00

This looks promising. Where can I find the register_postdissector() declaration in the source?

(26 Jul '12, 22:44) SidR

That's a built-in wslua function (there is no declaration). The wiki link above shows an example of how to use it. The user manual gives a brief description.

(26 Jul '12, 22:55) helloworld

I see. However, I was asking for the equivalent C function that can be found within the wireshark source. I just found found it in epan/packet.h so nevermind. Thanks a lot!

(26 Jul '12, 23:08) SidR
1

BTW: There are some samples available.

http://wiki.wireshark.org/Lua/Examples/PostDissector
http://diablohorn.wordpress.com/2010/12/05/dnscat-traffic-post-dissector/

(26 Jul '12, 23:34) Kurt Knochner ♦

1

Probably not, and why should it be possible? Isn't it much better to enhance the existing dissector and offer the enhancment to the Wireshark project to have it included in the code base?

answered 25 Jul '12, 22:20

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

Thank you for your quick reply Anders. And I agree with you, enhancing the existing dissector sounds cooler.

(25 Jul '12, 22:33) SidR