This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to develop my own traffic data analyzer through wireshark

0
1

In my department, we have implemented a new communication protocol. Now, we want to analyze the data traffic in order to show it clearly to the students.

We think we can develop a new filter, specific to our protocol, in Wireshark, but we are not sure about this possibility. So we have a few question...

Is possible to develop your own wireshark in order to analyse the traffic of your self-created network protocol? Which are the required libraries? And programming language?

Thanks in advanced, Alex.

asked 16 Jul '13, 07:17

aleshark's gravatar image

aleshark
11123
accept rate: 0%

edited 16 Jul '13, 07:29

grahamb's gravatar image

grahamb ♦
19.8k330206


2 Answers:

2

What you are describing is a Wireshark dissector. There are a few methods to create a dissector, you can look at my SharkFest'13 presentation "PA-10: Writing a Wireshark Dissector" that is downloadable from the SharkFest website, for an introduction to writing a dissector using WSGD, Lua or a traditional C based dissectors.

answered 16 Jul '13, 07:24

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I haven't seen your presentation before. Nice work!

(16 Jul '13, 07:35) Kurt Knochner ♦

Thanks, come to SharkFest and hear it live!

(16 Jul '13, 07:38) grahamb ♦

maybe next year. will see...

(16 Jul '13, 07:39) Kurt Knochner ♦

you should. Just do a talk, and skip the conference fee ;-)

It's the best conference of the year for network analysts IMHO. I'm still slightly annoyed that I didn't start attending back in 2008 :-)

(16 Jul '13, 08:05) Jasper ♦♦

If I find an interesting subject, maybe I'm going to apply for a slot ;-)) Suggestions are welcome...

(16 Jul '13, 08:07) Kurt Knochner ♦

I'll let you know when the time comes ;-)

(16 Jul '13, 10:38) Jasper ♦♦

Thanks for the answers but, I have been questioned myself this afternoon about...

Wireshark Generic Dissector (WSGD) allows dissection of a protocol based on a text file description and doesn't require development enviroment, as you say in your conference, but... "It needs to copy the appropriate version of the plugin".

Let me explain myself...

generic.dll allows, according to http://wsgd.free.fr/ to describe two protocols named "Example1" and "Example2". So if I want to build up my own protocol analyzer, I guess I must rebuilt a new generic.dll or whatever with the description of my protocol layers, and after that, define my protocol (.wsgd) and its fields (.fdesc). Am I wrong?

(16 Jul '13, 12:18) aleshark

No need to build the DLL yourself, but you must use a matching DLL for your version of Wireshark. The only parts you have to create are the two text files; .wsgd & .fdesc.

(16 Jul '13, 15:41) grahamb ♦
showing 5 of 8 show 3 more comments

0

Please have a look at the Generic Wireshark Dissector.

http://wsgd.free.fr/

It's a very easy way to add protocol support for new protocols.

The other way would be to write your own dissector.

http://wiki.wireshark.org/Development
http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html

Regards
Kurt

answered 16 Jul '13, 07:21

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Plus, there had been a talk at this year's Sharkfest by Graham Bloice, which you can find at http://sharkfest.wireshark.org/sharkfest.13/index.html

(16 Jul '13, 07:25) Jasper ♦♦

I'm sorry I'm so slow at typing my response, beaten by Kurt and Jasper today :-(

(16 Jul '13, 07:28) grahamb ♦

Graham, no worries, your clock is running with a 1 hour delay. Not your fault :-)

Also, a good answer always takes time.

(16 Jul '13, 07:44) Jasper ♦♦

Never, mind. I'll slow down my typing/answering speed in order for others to have a chance to answer as well ;-))

(16 Jul '13, 07:45) Kurt Knochner ♦