This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

new wireshark dissector

0

Hi, I am developing a new wireshark dissector. I have a pcap file the could be opened from wireshark how do I get my plugin to read this file. If I feed it through a port I can write the port to my dissector code to listen in that port. How does a plugin get activated when a pcap file is opened???

Thanks in Advance

asked 09 Jun '11, 13:01

tut087's gravatar image

tut087
1443
accept rate: 0%

Dissectors don't read capture files; the core of Wireshark reads capture files, and calls the dissector for the link-layer header type for the packet, which then calls other dissectors.

Your dissector presumably dissects packets for a particular protocol; does that protocol run at the link layer, or does it run atop another protocol?

(09 Jun '11, 20:02) Guy Harris ♦♦

One Answer:

2

If you're having trouble integrating your plugin with Wireshark, then try reading README.developer and README.plugins in particular.

If your plugin is already compiled and integrated but it's just not getting handed packets that you think it should be handed, then you probably need to register your plugin on whichever UDP or TCP port your traffic is appearing on.

If the port can vary, then you might consider adding a port preference to your dissector so it's configurable. Alternatively, if the port could change frequently and it's too annoying to have to keep changing the port preference, you could try registering your plugin as a heuristic dissector instead. Refer to README.heuristic in that case.

answered 09 Jun '11, 15:49

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 09 Jun '11, 16:05