This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to access Ethertype packet structure in Dissector plugin ?

0

Hi everyone,

I am modifying a dissector plugin which used to work with wireshark version 1.10.

But when I try to compile it wireshark 1.12-rc2 source code, it throws error regarding a missing structure element:

    pinfo->ethertype

Figured out that this element is no longer applicable for newer versions of wireshark. But I need to access the ethernet type from the packet I received. But the problem is, I am given the pointer buffer in the dissector just after the ethernet header. So cant use tvb_get_ptr.

I used the following 2 functions to add my dissector:

dissector_add_uint("ethertype", 0xABCD, xmax_handle);
dissector_add_uint("ethertype", 0xBDEF,_XMAX_UPLINK, xmax_handle);

My dissector is working properly with the above 2 packet types. But I need to access those 2 packet types (0xABCD and 0xBDEF) to do some internal processing.

So I went back to packet-ethertype.c to find out whats going on. Seems like this structure contains the packetype:

   ethertype_data->etype

Can I pass this structure element to my dissector? I tried it, but gives segment fault.

Is there any other way to do it?

Thanks in advance.

asked 30 Jul '14, 13:20

kazi_hasan's gravatar image

kazi_hasan
16114
accept rate: 0%


2 Answers:

1

Create two handles (one for each of the ethertypes) each pointing to a different function and do dissector_add_uint separately for each ether type using the corresponding handle; Each of the separate functions can then call the common dissector code with a flag indicating the ethertype.

E.g., xmax_handle_abcd and xmax_handle_bdef

answered 30 Jul '14, 13:30

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 30 Jul '14, 13:35

Thanks for the reply. Actually I was thinking about this solution, but is there any way to access the packet type from the dissector itself?

(30 Jul '14, 13:36) kazi_hasan

1

A better/easier way is to use pinfo->match_uint. When your dissector is called because it is registered for a particular uint dissector-table value then this field is filled in with the matching value.

answered 31 Jul '14, 06:29

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%