I would like to write a .NET dissector plugin to decode my own protocols. Can wireshark read managed dlls (C# or managed C++), or does it have to be only native code or python script? I have decoders written in C# already, and would like to reuse them if possible. Any ideas how this can be done? Thanks asked 19 Nov '13, 02:13  Lews Therin |
One Answer:
Wireshark is all native code. I have no idea if an unmanaged program can load a managed DLL, but if it is possible, then your DLL would have to present unmanaged interfaces so that Wireshark can call essential functions in it, your DLL may have to export some unmanaged data for Wireshark, and then any Wireshark infrastructure calls your DLL makes would have to be unmanaged and be passed and receive back unmanaged data structures. In short if at all possible it's going to be a big chunk of work. You may want to investigate other Wireshark dissector creation options such as text using WSGD, built-in languages such as Lua, or a C based dissector. answered 19 Nov '13, 03:52  grahamb ♦ showing 5 of 7 show 2 more comments |
Hey Graham, thanks for the quick answer. The idea is to pretty much emulate WSGD -> a generic native dll that will interface with any codecs/protocol I create in C#. It sounds like a lot of work indeed. I was hoping for experienced feedback, but seems there isn't a better way.
Honestly, writing all the mananged -> unmanaged interface code will be much more work (if it works at all) than simply rewriting your decoder logic (you already have that logic) in C and putting that into a template dissector (see Developer guide).
Regards
Kurt
Actually, you should be able to create a Lua dissector that uses a C# library via LuaInterface to parse the payload. See a related question on how to set up LuaInterface with Wireshark.
Thanks for the help guys.
@helloworld, Luainterface looks interesting, but I would suspect implementing a dissector that way might be less than optimal speed wise. I would also think that there will still need to be some translation between Wireshark data structures and whatever the original C# dissectors are doing.
It's even worse. You'll have to write a dissector in Lua, then pass the tvb data to the C# library and get back "some" data structure of the 'dissected' tvb (as you said). Then you'll have to walk through that data structure and add the proto fields within the Lua code based on the data structure you received from the C# code + convert data types between C# and Lua.
I don't see how that could be less (coding) work or how that could be in any way easier than a migration of the C# decoder logic to either C or Lua, as the dissector framework (handling tvb and proto fields) has to be coded in Lua/C anyways.
It might not be optimal in terms of speed, but that wasn't part of the question. The OP asks for a way to reuse his existing C# library. Depending on how much work was already invested into that library; and the size and complexity of the protocol, LuaInterface could be a shorter path than rewriting it.