This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm getting started creating a Dissector for an IEEE 802.15.4 packet. I'm using the TI cc2531 dingle and the python script ccsniffpip to get data into Wireshark and I can see the packets as raw 802.15.4 packets just fine. It seems that Wireshark is designed assuming that the 802.15.4 destination addresses significant in the sense that ports are intended to hint at what the packet type is. For 15.4 that is often just not the case. For 15.4 the destination is more akin to an IP address. I want to decode every 15.4 packet I see. In my case, I have my protocol hiding inside the "data" section of 15.4 packets with the first byte of the data indicating the packet type. I have no problem creating a simple Lua dissector to walk through things and build out some simple trees, but as fas as I can tell, I have to go in by hand in the GUI and tell the program to Decode As "MyProtocol" for each new destination address that becomes allocated. My need to to make my dissector promiscuous to all 15.4 destination addresses. I've fond notes where dissector_add for_decode_as was exposed to Lua ("https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=016769d7e2462c2238364d73c1dde1c4457fa486" )(Wireshark-commits: [Wireshark-commits] master 016769d: Expose dissector_add_for_decode_as() to Lua), but I can't find any examples on how to use it. Also any high level architecture suggestions would be greatly appreciated.

asked 15 Feb '17, 15:26

MountainLogic's gravatar image

MountainLogic
11226
accept rate: 0%


I think the best way to solve is to register a heuristic dissector in the wpan table, some example code:

local my_proto = Proto("myproto", "My Protocol")

local function my_proto_dissector(tvbuffer, pinfo, treeitem)
   local result = false
   -- check if tvbuffer belongs to your protocol, return true if it does ..
   return result
end

my_proto.dissector = my_proto_dissector 
my_proto:register_heuristic("wpan", my_proto_dissector)
permanent link

answered 17 Feb '17, 11:23

kim's gravatar image

kim
313
accept rate: 50%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×431
×13

question asked: 15 Feb '17, 15:26

question was seen: 806 times

last updated: 17 Feb '17, 11:23

p​o​w​e​r​e​d by O​S​Q​A