How to choose between writing a plugin or built-in dissector?

asked 2022-09-16 23:28:04 +0000

It appears that in either situation I have to rebuild the source. So what's the advantage to writing my dissector as a plugin? Is there a way to build a dissector so that I only have to give my end-user the dissector w/o a modified Wireshark executable? Would my dissector be usable only with one version of Wireshark? I am working in an air-gapped environment with no access to the net.

answered 2022-09-17 01:35:05 +0000

Chuckc
2858 ●5 ●568 ●19

updated 2022-09-17 01:40:16 +0000

Can you talk about the size/scope/future of the dissector?
There are some good points to consider in here: Plugin for Telephony menu

Also do a search on "plugin" in the Wireshark Developer’s Guide. There is a line Submit dissectors as built-in whenever possible. but if you don't plan to share/contribute the code then doesn't matter.

There is also a line in doc/README.plugins that may apply:

(Note, however, that not all OSes on which Wireshark runs can support plugins.)

It's a pretty old comment (Note that not all OSes on which Ethereal runs can support plugins.) so not sure if this is still the case.

Back to the original question about size/scope, the Wireshark Lua API may not by highest performance but it's quick to develop in, doesn't require compiling/linking and can be a single source file you push to your end-user. Examples are available on the Wiki page - here , here and in the WSDG - Chapter 10. Lua Support in Wireshark

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

How to choose between writing a plugin or built-in dissector?

1 Answer

Your Answer

Question Tools

Stats

Related questions

How to choose between writing a plugin or built-in dissector? edit

1 Answer