How to use dissector not in "decode as"

0
1

I have made a custom dissector but do not know how to use it in wireshark.
It appears that it should work, as I am able to type it into the filter bar and it turns green. However, it is not listed in the "decode as" menu, therefore I do not know of anyway to use it.

Is there a way to add this custom dissector to the decode as menu or simply use it some other way?

asked 18 Jul '12, 08:48

bball2601's gravatar image

bball2601
1566
accept rate: 50%

One Answer:
oldestnewestmost voted
0

You should read README.developer, which shows you how to add your dissector to another dissector's table similar to this:

void proto_reg_handoff_myproto(void)
{
    //...
    dissector_add_uint("tcp.port", myport, myproto_handle);
    //...
}

...where myproto is your protocol's abbreviation. The above assumes your protocol is built on top of another. If your protocol is supposed to be the lowest-level protocol, you may need more code.

Also note that your dissector may not be automatically added to the "Decode As..." menu (see here).

link

answered 18 Jul '12, 10:31

multipleinterfaces's gravatar image

multipleinte...
1.1k71229
accept rate: 12%

1

It's also possible to use dissector_add_handle("tcp.port", myproto_handle); instead of dissector_add_uint(...); if you want your protocol accessible only in the "decode as" menu.

Look at proto_reg_handoff...(){...} in various dissectors in epan/dissectors for examples.

(18 Jul '12, 10:57) Bill Meier ♦

I tried the dissector_add_uint method, but my dissector only decodes a few UDP packets rather than all of them. Also wouldnt this method only decode UDP packets that use the same source port as "myport"?
What would I have to do to have it decode any UDP packet, regardless of the ports?

(23 Jul '12, 08:14) bball2601

wouldnt this method only decode UDP packets that use the same source port as "myport"? yes (well source or dest port and the port can be made a preference.)

You could try a heuristic dissector but that means that your dissector will have to "look at" a number of bytes in the packet and determine if it's your protocol or not.

(23 Jul '12, 08:54) Anders ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×211
×12
×6

Asked: 18 Jul '12, 08:48

Seen: 1,036 times

Last updated: 23 Jul '12, 08:54

Related questions

how to add custom protocol dissector for layer 1 (ethernet) protcol

How does TCP track sequence numbers?

Why does the "decode as" dialog only shows entrys for link layer.

OMA ULP Protocol version 2.0 support problem and Malformed Packet: ULP error

tcp options dissection

new wireshark dissector

couldn't load my own dll with latest 1.6.1 version

How to add a custom token-ring packet dissector

Reassemble Problem atop UDP

How can I dissect fields less than 1-byte wide?

about | faq | privacy | support | contact

powered by OSQA