Greetings, How do I get wireshark to decode the Payload of all MoldUDP64 packets as "Nasdaq-ITCH"? When I right-click Payload and do "Decode as...", the ITCH protocol is not listed as an option. Thanks in advance, MB asked 23 Oct '15, 09:01  marsblack |
2 Answers:
The MoldUDP64 dissector goes so far as to dissect message blocks. There's no relation to Nasdaq-ITCH made. I've no sample capture to work out if that could be made so. answered 23 Oct '15, 14:31  Jaap ♦ |
You need 2 things: 1. A dissector table created in MoldUDP64. The Nasdaq-ITCH dissector would register with this table. 2. A "Decode As" structure created in MoldUDP64 (using register_decode_as). Based on the information provided, it doesn't appear like MoldUDP64 has a "unique identifier" to determine Nasdaq-ITCH, so I recommend using the "sample code" in packet-socketcan.c or packet-enip.c for how their "subdissectors" are exposed through Decode As. answered 23 Oct '15, 16:49  Michael Mann Threw something together here: https://code.wireshark.org/review/11235/ (23 Oct '15, 17:37) Michael Mann |
Thanks Jaap.
Suppose I want to force the Payload field of all MoldUDP64 packets to be dissected as Nasdaq-ITCH in my capture.
proto_reg_handoff_nasdaq_itch()in packet-nasdaq-itch.c to add a dissector to moldudp64. Am I on the right track? Can you advise on what the call todissector_add_uint()would look like?Kind regards.
As Michael Mann says in his answer, "it doesn't appear like MoldUDP64 has a "unique identifier" to determine Nasdaq-ITCH", so there's nothing to use in a call to
dissector_add_uint(), and that call shouldn't exist.See the code review he linked to in the comment he made to his reply.