This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Writing a dissector for a non ethernet protocol - Which type of “dissector_add” should I use?

0

Hi all,

we have a complex protocol, which is not ethernet based (it has nothing to do with ethernet) and which consists of frames with timestamps.

In order to analyze and display the individual protocol parts, I would like to use Wireshark. What I have done so far:

  1. I have written a converter, so that our frames are now inside a pcapng file.
  2. I have setup the source for my own (plugin) dissector.

I am new in writing dissectors and I have no (deep) knowledge of frame formats. I have understood, that when I call for example

dissector_add_uint("tcp.port", 999, my_handle);

my dissect function will get called, when I have an IP frame with port 999.

When I open my pcapng files with wireshark and lets say my frame is

04 04 04 04 01 02 03

then wireshark displays them as

Frame (7 bytes on wire)

Null/Loopback

Type unknown (0x0404)

Data (3 Byte) 01 02 03

My non ethernet frames start with complete random hex bytes, but I could prefix a certain flag (e.g. 0x11, 0x22, 0x33, 0x44 or whatever) to all my frames, before I put them into a pcapng file.

Can you give me a tip, which kind of dissector_add_(uint) with which parameters I should call, so that my dissect function gets called?

Thanks a lot.

Carsten from Germany

asked 01 Aug '12, 00:41

gyroblau's gravatar image

gyroblau
1111
accept rate: 0%

One Answer:

1

You should probably request a link layer type here http://www.tcpdump.org/linktypes.html or use one of th user DLT:s for your frames.

answered 01 Aug '12, 02:26

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

... or maybe your link-layer type is already there.

(01 Aug '12, 04:20) Jaap ♦

... and then use dissector_add_uint("wtap_encap",your link layer's wtap type,your handle);

(01 Aug '12, 06:23) JeffMorriss ♦

Thanks a lot, that works.

(03 Aug '12, 02:26) gyroblau

Please don't forget to Accept the answer if it answers your question--see the FAQ for how this site works.

(03 Aug '12, 05:51) JeffMorriss ♦

Which was the "that" in "that works"? Presumably not "request a link-layer type here", as nobody's requested or been assigned a link-layer header type in the past 2 days; was it "use one of the user DLTs" or "use one of the existing link-layer types"?

(Note that if you aren't just using this network type in your {university,laboratory,corporation,etc.}, so that you'd prefer to have a standard link-layer header type assigned, sending a message to [email protected]lists.tcpdump.org to request the link-layer header type, as per the page to which Jaap's answer points, is the first step.

(03 Aug '12, 16:59) Guy Harris ♦♦