Hi, I uses a custom protocol format to save packets, the full ethernet frame(eth->ip->tcp..) is prepended by my custom protocol header, I want to add plugin in wireshark that displays My custom header and its subfields & then the actual protcol hierarchy like in order MyProtcolName -subheaderinfo1 -subheaderinfo2 Ethernet ip & so on, Is it possible in wireshark to add protocol over layer1 protocols? If it is, then kindly suggest a way to implement it. A sample would be appreciable.. Thanks, asked 03 Apr '13, 06:38 Vipul Pal edited 03 Apr '13, 07:22 grahamb ♦ |
One Answer:
Yes, this is possible. You will need to register for a new Link Layer header type value (see: http://www.tcpdump.org/linktypes.html) or you can use one of the types reserved for private use (if you don't plan to distribute your specific capture files and dissector). Then you will need to write a dissector that registers to the "wtap_encap" dissector list to get your dissector called based on the encapsulation type in the pcap file (which should match the requested Link Layer Header type). Your dissector will dissect your protocol headers and then will call the ethernet dissector to dissect the eth,ip,etc layers. Have a look at epan/dissectors/packet-juniper.c for an example... answered 03 Apr '13, 07:15 SYN-bit ♦♦ |