This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Set DLT_USER in dissector registration

0

Is it possible to set the payload protocol for any of the DLT_USER encapsulations during the build process? Since I have to rebuild Wireshark with new dissectors often, I'd like to do this so that my dissectors are registered correctly as soon as Wireshark is installed, rather than reconfiguring the Encapsulation Table after each new install.

Is there a configuration file I can edit, or perhaps a source file?

Update: I've had no luck finding an obvious solution for this, despite the %appdata%/Wireshark/user_dlts file being automatically generated for each user. Does anyone know of a way to modify the default contents of this file before distributing Wireshark? To clarify, I distribute Wireshark using an NSIS installer that includes a number of dissectors. Some of these register against the DLT_USER encapsulation table exclusively as the dissection entry point so that our log files (which use a DLT_USER entry out of necessity) will be correctly opened by Wireshark.

As an example, I would like to have each new user's user_dlts file contain something like the following:

# This file is automatically generated, DO NOT MODIFY.
"User 0 (DLT=147)","foo","0","","0",""

Update: It looks like I could generate a uat entry and then inject this into the encaps_uat table in the dissector defined in epan/dissectors/packet-user_encap.c, but I can see no clear way of doing this. These are the questions I currently have:

  1. How can I obtain a reference to the encaps_uat in my proto_reg_handoff function?
  2. How should the user_encap_t be populated to accomplish this task?
  3. How can I inspect this table to ensure that my dissector is registered against a user DLT only if it has not already been registered?
  4. Finally, how can I add my entry to the encaps_uat?

asked 24 Mar '11, 09:09

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

edited 24 May '11, 12:28

What is the "necessity" out of which you use a DLT_USER value? Can you not ask [email protected] for a link-layer type?

(24 May '11, 15:49) Guy Harris ♦♦

We elected to use DLT_USER values in stead of requesting a link-layer type because we use Wireshark to process log files in-house (in a format that is not released to our customers) and using an unassigned value would mean possibly colliding with a new DLT some time in the future.

(25 May '11, 14:38) multipleinte...

One Answer:

0

You can't manipulate the encaps_uat from your dissector.

The best you can do, if you want the association between the LINKTYPE_USER value and the dissector hardwired into a private version of Wireshark, would be to change epan/dissectors/packet-user_encap.c not to register for the particular WTAP_ENCAP_USER value, and have your dissector register for that WTAP_ENCAP_USER value itself.

If Wireshark were to support "global" UAT files in addition to per-user UAT files, you could distribute a global UAT file with the entry in question, but, as far as I can tell, it doesn't support them (although it does support a global preferences file).

answered 10 Jun '11, 11:11

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

After several experiments, this is definitely the cleanest way to handle this for now.

(26 Aug '11, 09:07) multipleinte...