Ask Your Question

How to dissect a VLAN frame based on Ethertype

asked 2018-05-21 12:34:49 +0000

gerolima gravatar image

updated 2018-05-22 23:15:17 +0000

Guy Harris gravatar image


I'm trying to write a new dissector for an in-house protocol. This protocol is completely L2, there is no IP header. The frame will be dissected using a specific, but I cannot find a way to do so... The following doesn't seem to be working:

dissector_add_uint("", xxx_vlan, xxx_handle);

Do i need to use another library than epan/packet.h??

edit retag flag offensive close merge delete


Does your protocol have a unique ethertype value, or is it just re-using one already assigned for another purpose? The Ethertype table is here.

grahamb gravatar imagegrahamb ( 2018-05-21 14:12:49 +0000 )edit

it's just 0x8100, 802.1Q type

gerolima gravatar imagegerolima ( 2018-05-21 14:44:34 +0000 )edit

it's just 0x8100, 802.1Q type

That's not the Ethertype value for your protocol, it's the value that's put in the last 2 octets of the Ethernet header to indicate that this is an 802.1Q-tagged frame. At least according to 802.1Q, that value is the TPID of the tag header; what follows it is the 2-octet TCI field, which is the second part of the tag header.

So, for those frames, what follows the VLAN tag header? Is it a 2-octet Ethertype field, as 802.1Q seems to indicate that it should be on Ethernet, or is it something else?

Guy Harris gravatar imageGuy Harris ( 2018-05-21 21:00:56 +0000 )edit

Yeap, you're right, sorry I always mix up these two. The ethertype is 0xa003. To be honest, I could also use ethertype instead of to call the dissect. I tried that also but I had the same result...

gerolima gravatar imagegerolima ( 2018-05-22 06:08:51 +0000 )edit

I.e. all of your packets have in them, starting with the destination MAC address at the beginning:

  • a 6-octet destination MAC address;
  • a 6-octet source MAC address;
  • a 2-octet VLAN TPID value of 0x8100;
  • a 2-octet VLAN TCI field
  • a 2-octet Ethertype value of 0xa003;
  • the protocol payload?
Guy Harris gravatar imageGuy Harris ( 2018-05-22 16:18:55 +0000 )edit

4 Answers

Sort by ยป oldest newest most voted

answered 2018-05-22 08:47:03 +0000

grahamb gravatar image

Now that you've provide the information that your data is using an Ethertype of 0xA003, you should be able to add your dissector to the ethertype table:

dissector_add_uint("ethertype", 0xA003, xxx_handle);
edit flag offensive delete link more


I tried that but no luck. At the moment I'm pulling the latest changes from wireshark-dev. Perhaps I'm missing something there. I will update as soon as I'm ready

gerolima gravatar imagegerolima ( 2018-05-22 12:18:39 +0000 )edit

That's what all the other ethertype dissectors do. Search for "ethertype" in the dissectors directory to see examples.

grahamb gravatar imagegrahamb ( 2018-05-22 13:08:29 +0000 )edit

thanks it worked. I just needed to update my git repository to the latest

gerolima gravatar imagegerolima ( 2018-05-22 18:14:52 +0000 )edit

If an answer has solved your issue, please "accept" it by clicking the checkmark icon next to the answer, for the benefit of others with the same type of question

grahamb gravatar imagegrahamb ( 2018-05-23 07:03:40 +0000 )edit

answered 2018-05-21 20:21:41 +0000

sindy gravatar image

If you don't want to modify other dissectors to make yours work, you can fetch the pointer to the VLAN dissector from the ethertype table and store it in a variable, then register your own dissector to the table instead, and let your dissector call the VLAN one if the VID doesn't match the one you've used to identify your protocol. If it matches, your dissector has to do the job of the VLAN one (or just skip the bytes without dissecting them if you are not a perfectionist).

edit flag offensive delete link more


Ok, I'm lost here, could you please post a draft example of the code to do that?

gerolima gravatar imagegerolima ( 2018-05-22 06:08:42 +0000 )edit

answered 2018-05-21 14:15:43 +0000

cmaynard gravatar image

updated 2018-05-21 14:33:25 +0000

grahamb gravatar image

The vlan dissector does not register a dissector table, so unless you modify the dissector, what you're attempting to do isn't going to work.

For example, see the call to register_dissector_table() made in packet-ethertype.c's proto_register_ethertype() routine or search the Wireshark sources for many more examples.

$ grep register_dissector_table packet*.c | wc -l
edit flag offensive delete link more

answered 2018-05-21 14:06:35 +0000

Anders gravatar image

There is no dissector table with the name "" and that's why your code does not work. You need to modify the vlan dissector to call your dissector with the rest of the frame when your is detected possibly by adding the dissector table for "" to the vlan dissector and the code to use it.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-05-21 12:34:49 +0000

Seen: 138 times

Last updated: May 22