This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

802.15.4 Dissector for all Destinations (addressees)

0

I'm getting started creating a Dissector for an IEEE 802.15.4 packet. I'm using the TI cc2531 dingle and the python script ccsniffpip to get data into Wireshark and I can see the packets as raw 802.15.4 packets just fine. It seems that Wireshark is designed assuming that the 802.15.4 destination addresses significant in the sense that ports are intended to hint at what the packet type is. For 15.4 that is often just not the case. For 15.4 the destination is more akin to an IP address. I want to decode every 15.4 packet I see. In my case, I have my protocol hiding inside the "data" section of 15.4 packets with the first byte of the data indicating the packet type. I have no problem creating a simple Lua dissector to walk through things and build out some simple trees, but as fas as I can tell, I have to go in by hand in the GUI and tell the program to Decode As "MyProtocol" for each new destination address that becomes allocated. My need to to make my dissector promiscuous to all 15.4 destination addresses. I've fond notes where dissector_add for_decode_as was exposed to Lua ("https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=016769d7e2462c2238364d73c1dde1c4457fa486" )(Wireshark-commits: [Wireshark-commits] master 016769d: Expose dissector_add_for_decode_as() to Lua), but I can't find any examples on how to use it. Also any high level architecture suggestions would be greatly appreciated.

asked 15 Feb '17, 15:26

MountainLogic's gravatar image

MountainLogic
11226
accept rate: 0%


One Answer:

0

I think the best way to solve is to register a heuristic dissector in the wpan table, some example code:

local my_proto = Proto("myproto", "My Protocol")

local function my_proto_dissector(tvbuffer, pinfo, treeitem) local result = false – check if tvbuffer belongs to your protocol, return true if it does .. return result end

my_proto.dissector = my_proto_dissector my_proto:register_heuristic("wpan", my_proto_dissector)

answered 17 Feb ‘17, 11:23

kim's gravatar image

kim
313
accept rate: 50%