This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I need to replace the dissector for IEEE 802.3 Ethernet frames with a custom one that I write in Lua, because I need to explicitly call a custom dissector for the payload. The payload is proprietary data that Wireshark can not recognize. Currently, my data is wrongly interpreted as LLC.

alt text

So I basically want to do the same as described in my earlier question: How to register a Lua dissector for 802.1Q Ethernet payload. I just need to know how to replace the ethernet dissector for 802.3 frames with no VLAN tag. I guess (correct me if I'm wrong) this would be the dissectors eth, eth_withfcs and eth_withoutfcs.

original_802_3_dissector = DissectorTable.get( ??? ):get_dissector( ??? )
[...]
function my_protocol.dissector(buffer, packet_info, tree)
    original_802_3_dissector:call(buffer, packet_info, tree)
    [...]
end
local eth_table = DissectorTable.get( ??? )
eth_table:add( ??? , my_protocol)

As always, any help is appreciated. Thanks in advance.

asked 04 Nov '16, 01:54

patrick_oppermann's gravatar image

patrick_oppe...
466611
accept rate: 0%


The dissector table you are looking for is wtap_encap, and the (integer) index value for Ethernet in that table is 1.

The standard Ethernet dissector assumes that your payload is LLC-encapsulated because the value of the two octets following the MAC addresses is lower than 1501, so it is interpreted as frame length, implying that the contents is LLC-encapsulated (unless the two octets following the length are 0xffff). Only values above 1535 (0x5ff) are interpreted as Ethertype.

So your Lua script can save the pointer to the default dissector for encapsulation type 1 and register your dissector instead of it. Your dissector can then call the default one whenever it finds out that the frame contents cannot be dissected as your proprietary protocol. Please note that if it would call the default dissector as the first thing to do, as the code snippet in your Question suggests, you'd step into the same rabbit hole like you do now as in that case, the default dissector would do its complete job, including creation of the LLC subtree.

Just bear in mind that Wireshark is not the only recipient to be confused by an Ethernet frame of such contents.

permanent link

answered 05 Nov '16, 09:06

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 05 Nov '16, 11:03

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×431
×87
×6

question asked: 04 Nov '16, 01:54

question was seen: 1,545 times

last updated: 05 Nov '16, 11:03

p​o​w​e​r​e​d by O​S​Q​A