This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to add custom protocol dissector for layer 1 (ethernet) protcol

0

Hi,

I uses a custom protocol format to save packets, the full ethernet frame(eth->ip->tcp..) is prepended by my custom protocol header,

I want to add plugin in wireshark that displays My custom header and its subfields & then the actual protcol hierarchy like in order

MyProtcolName

-subheaderinfo1

-subheaderinfo2

Ethernet

ip

& so on,

Is it possible in wireshark to add protocol over layer1 protocols? If it is, then kindly suggest a way to implement it. A sample would be appreciable..

Thanks,

asked 03 Apr '13, 06:38

Vipul%20Pal's gravatar image

Vipul Pal
1111
accept rate: 0%

edited 03 Apr '13, 07:22

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

Yes, this is possible. You will need to register for a new Link Layer header type value (see: http://www.tcpdump.org/linktypes.html) or you can use one of the types reserved for private use (if you don't plan to distribute your specific capture files and dissector).

Then you will need to write a dissector that registers to the "wtap_encap" dissector list to get your dissector called based on the encapsulation type in the pcap file (which should match the requested Link Layer Header type). Your dissector will dissect your protocol headers and then will call the ethernet dissector to dissect the eth,ip,etc layers.

Have a look at epan/dissectors/packet-juniper.c for an example...

answered 03 Apr '13, 07:15

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%