This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a wireshark plugin code which compiles and generates .so files perfectly under Ubuntu 16. This dissector was written for wireshark 1.6 and the plugin runs perfectly under wireshark 1.6.

However when I try to use this plugin for wireshark 2(or any wireshark version higher than 1.6) following errors show -

> Couldn't load module
> /home/th89ct/.config/wireshark/plugins/plugin-1_0_0.so:
> /home/th89ct/.config/wireshark/plugins/plugin-1_0_0.so:
> undefined symbol: tvb_length Couldn't
> load module
> /home/th89ct/.config/wireshark/plugins/plugin--1_0_0.so:
> /home/th89ct/.config/wireshark/plugins/plugin--1_0_0.so:
> undefined symbol: check_col

so I wanted to edit the code by replacing the methods - as after googling I've found that these methods do not belong to the new wireshark API.

but the problem is every time I edit the code - even by only putting a space in a blank space - following error appears -

> gcc -c -DHAVE_CONFIG_H
> -I/usr/include/wireshark -I/usr/include/glib-2.0 -I/usr/lib/i386-linux-gnu/glib-2.0/include
> -DINET6 -D_U_=attribute((unused)) -Wall -Wpointer-arith -g -DXTHREADS -D_REENTRANT -DXUSE_MTSAFE_API -fPIC -DPIC packet-ife.c -o packet-ife.o packet-ife.c:105:23: fatal error:
> epan/emem.h: No such file or directory
> #include ^ compilation terminated. Makefile.linux:28: recipe for target
> 'packet-ife.o' failed make: **
> [packet-ife.o] Error 1*

what should I do? I am in bad need for help. I have no idea what to do!!!! Thanks in advance

asked 30 Sep '16, 01:43

xaheen's gravatar image

xaheen
71141519
accept rate: 50%

edited 30 Sep '16, 02:38

grahamb's gravatar image

grahamb ♦
19.8k330206


The binary interface between Wireshark and plugins has changed considerably between 1.6 and 2.0, so coding changes will have to be made in the plug-in. Your options are:

  1. Make the code changes yourself, which you seem to have run into difficulties with.
  2. Post the code somewhere public and ask for help to fix the issues, which would then allow the dissector to be moved into and distributed with Wireshark.
  3. If you are unwilling to release the dissector code publically you can hire someone to fix it under some form of NDA, as long as you observe the GPL licence that Wireshark is distributed under (basically if you distribute the plugin to anyone other than your company, then you must also make the source code available).
permanent link

answered 30 Sep '16, 02:43

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks a lot for your responce. Sadly I can't make the code public as I have aggrement with my Company. I have been trying to edit the old code, but as I've said, it's showing Errors even if I put a blank space at the end of the code... Why do you think this is occuring???

(30 Sep '16, 02:48) xaheen
1

Because the Wireshark interface with plugins has changed, you must make the appropriate changes in the plugin to allow it to compile.

Unfortunately it's pretty much impossible for anyone to help without seeing the plugin code.

What you can do is look at each error, look back at the release notes for each major change, i.e. 1.6 -> 1.8, 1.8 > 1.10 etc. to determine what has changed and how to fix it.

For the error you show packet-ife.c:105:23: fatal error: emem.h: No such file or directory, that is caused by a change in the memory manager used by Wireshark from emem to wmem in Wireshark 2.0, see the README.wmem file in the doc directory of the sources for more info.

I suspect that you'll have a lot of other changes to do though.

(30 Sep '16, 03:03) grahamb ♦

Thanks a lot for your time and answer :) I think i have a lot of work to do :/

(30 Sep '16, 05:02) xaheen

do you know about any wireshark online course for wireshark development?

(30 Sep '16, 05:38) xaheen
1

I do a presentation about how to start writing dissectors at SharkFest, but it's very basic and won't answer any of your questions. I'm not aware of any on-line courses on dissector implementation, although there are a few articles\blog posts that are mostly out of date.

The resources I know of are the Developers Guide and the documents in the sources doc directory and the 1300+ dissector source files as examples in the Wireshark sources (epan/dissectors/packet-xxx.c)

(30 Sep '16, 05:53) grahamb ♦

Thanks a lot for your elaborate and resourceful answer. I will try my best to make the best out of it. I wish there were some tutorial for updating the old code!

(06 Oct '16, 01:39) xaheen

Unfortunately that's one of the costs of keeping your dissector private, you have to maintain it yourself.

One way to sensibly keep up to date is to setup a continuous build system that compiles your plugin frequently and then you'll know when breaking changes have been made and you can easily see which commits caused the issues.

Leaving the dissector fallow for many major version releases, i.e. 1.6 -> 1.8 -> 1.10 -> 1.12 -> 2.0 -> 2.2 is quite likely to have lots of issues to be fixed up.

(06 Oct '16, 02:29) grahamb ♦
showing 5 of 7 show 2 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×637
×173
×80
×18

question asked: 30 Sep '16, 01:43

question was seen: 1,451 times

last updated: 06 Oct '16, 02:29

p​o​w​e​r​e​d by O​S​Q​A