Hi, I want to implement a protocol in wireshark and decode its packets according to what is mentioned in the protocol specification. The protocol needs not to be a networking protocol. I will provide the data to decode in form of .csv file format. I have read the developers guide on implementing custom dissector on top of some other protocol like tcp/udp etc. But here in my case it is completely different because firstly the protocol data comes from csv and it will run independently not top of any other existing protocol. Is it feasible to implement such customizations in wireshark?? How shall I proceed with the development? What all modules I need to change My purpose of such kind of implementation is to analyze protocol data through wireshark. Looking for a reply. Thanks in advance :) asked 17 Jan '12, 00:37  ashish_goel |
One Answer:
You can implement a dissector for a protocol that does not run on top of another --as Guy said in his comment, this would be a link-layer protocol. What you cannot do is feed your csv file directly into Wireshark, as this is not a file format Wireshark currently understands. My guess is that this is the output of some other program that you are interested in reviewing. While it is possible to use Wireshark for this task, it will require some additional work. Since you will be doing some sort of additional work to display your data, I might recommend that you go another route to display your data (e.g. write a Python script that examines and displays your data, or a VB form to do the same). Since your data files are almost certainly not in binary format (and certainly not one Wireshark already understands), using Wireshark will ultimately require converting your csv files to another format first. One method of doing this that I have used in the past goes like this:
This strategy allows you to leverage Wireshark for much of the heavy lifting in terms of display, filtering, searching, and so on without having to write all of that yourself. What it requires is a little translation of your data from one format to another, and, more drastically, learning how to program for Wireshark. Once you get used to it, it is quite simple, but the learning curve can be a little steep at times. answered 17 Jan '12, 07:04  multipleinte... @ multipleinterfaces.. Your solution looks feasible to me. But rather than building a tool for conversion, can't I add support for my defined .csv format in wireshark import formats?? (17 Jan '12, 20:36) ashish_goel Yes, you could. Look at wiretap/README.developer for what's required. (18 Jan '12, 01:48) Jaap ♦ Has anybody added a new import format in wiretap?? If anybody has done it before plz share how the things went and how exactly you implemented. (29 Jan '12, 02:25) ashish_goel |
If your protocol "[runs] independently not top of any other existing protocol", that means it's a link-layer protocol; it cannot be a network-layer protocol, as those run on top of link-layer protocols such as Ethernet or PPP, and it cannot be a transport-layer protocol, as those run on top of network-layer protocols such as IPv4 or IPv6, and it cannot be a higher-level protocol, as those ultimately run on top of transport-layer protocols such as TCP or UDP.
On what type of physical network does your protocol run?
Hi Harris thanks for the reply...
For my protocol it is not about the layer.. My requirement is that I have some data and I have to display that in a meaning full way like displaying the packet type, its payload etc. So in all i can say that I want to use wireshark as the decoder and display tool for the raw data.
For example assume the following data comes to wireshark as per my protocol:
Example Data : 01 00001101 0101
The above represents bits coming to me. Now suppose that according to my protocol specs. first two bit identify type of packet. So lets assume 01 specifies that this is a "PACKET A" then next 8 bits represent payload of this packet "PACKET A" and last 4 bits represents the checksum. So I want it to be displayed as:
PACKET A : 01 PAYLOAD : 00001101 CHECKSUM : 0101
I guess my requirement is clear to you.