Replace built in dissector with plugin

asked 2022-03-08 14:54:28 +0000

CyberTazer gravatar image

updated 2022-03-08 15:05:16 +0000

grahamb gravatar image

We wish to customize a built in dissector. We are starting with the source of the original dissector and are adding functionality specific to our application. These items exist within the protocol structure, but are not implemented in the current Wireshark released version of the dissector.

Our discussions of this project have established two possible paths:

  1. rename the protocol and all of the fields to completely separate it from the existing protocol. This is the most direct route, but mistakes are easy to make in a search/replace project of this type.

  2. replace the built in dissector with our custom plugin version. The problem with this approach is we are not really sure how to approach this option, or even if it is possible. Essentially, we would want Wireshark to choose our version of the dissector rather than the built in version, or at least allow "dissect as" functionality. Can we disable the internal version and replace it with a dissector of the same name? Is there some strategy/process that can help us?

A few details: No we cannot rebuild wireshark (which would be easier from a development standpoint.) We have to deploy to machines with a certified build, so changing the wireshark version is not really an option if it can be avoided (massive amounts of paperwork.)

We are currently using Wireshark 2.6 on RedHat for (reasons) and can't change it if there is any other way as stated above. If the ONLY path forward is rebuild etc, I would likely look to update us to the latest release of Wireshark... but really, it is LOTS of paperwork. =-)

edit retag flag offensive close merge delete