This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why does the “decode as” dialog only shows entrys for link layer.

0

I am working on different plugin dissectors to dissect following Protocol stack: Ethernet -> ProtoA -> ProtoB or C.

In the proto_register_a() funktion i call:

register_dissector_table("a.next","A next protocol", FT_UINT16, BASE_HEX);

In the proto_reg_handoff_a() funktion i call:

dissector_add("ethertype", ETHERTYPE_A, a_handle);

In the proto_reg_handoff_b() funktion i call:

dissector_add("a.next", A_NEXT_VALUE_B, b_handle);

In the proto_reg_handoff_c() funktion i call:

dissector_add("a.next", A_NEXT_VALUE_C, c_handle);

Everything is decoded just fine, but still if i open the decode as dialog only the link layer dissectors are shown and i cant choose to decode ProtocolB as ProtocolC.

What do I miss?

asked 22 Feb '13, 06:35

Andreas%20Wilkes's gravatar image

Andreas Wilkes
1112
accept rate: 0%


One Answer:

2

Adding a dissector table dosen not automatically add it to "decode as", isn't there any indication in proto A to say if the payload is B or C?

answered 22 Feb '13, 08:36

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

1

I.e., at least currently, "decode as" is not a general UI mechanism for all dissector tables, it has a small number of dissector tables (Ethertype, TCP/UDP/etc. ports, DCE RPC) wired into it.

(22 Feb '13, 15:18) Guy Harris ♦♦

Good to know that the decode as does not automatically works for plugins. @Anders There is an indication which protocol follows but the reason i wanted the decode as functionality is to be able to decode something what is indicated to be B as C (i.e. if the next field in A is filled with the wrong value.)

(27 Feb '13, 02:14) Andreas Wilkes

Good to know that the decode as does not automatically works for plugins.

"Decode as" doesn't automatically work for arbitrary dissector tables, regardless of whether the dissector table was created by a plugin or a built-in dissector; this problem would exist even if Wireshark didn't support plugins.

(27 Feb '13, 02:24) Guy Harris ♦♦

There is an indication which protocol follows but the reason i wanted the decode as functionality is to be able to decode something what is indicated to be B as C (i.e. if the next field in A is filled with the wrong value.)

You could try adding a preference to the protocol A dissector to specify that it should, for example, treat a next-protocol value of B as if it were C. ("Decode as", even if and when it supports arbitrary dissector tables, wouldn't let you specify this on a per-packet basis - the whole point is to override the dissector choice for all packets with a given value.)

(27 Feb '13, 02:26) Guy Harris ♦♦