Ask Your Question
0

Can't get a DLT_USER type to be dissected as MIME multipart

asked 2023-06-21 06:45:34 +0000

lacirta3@freemail.hu gravatar image

updated 2023-06-22 07:52:20 +0000

Guy Harris gravatar image

Hi!

We have a custom link-layer type PCAPNG EPB structure, which contains a MIME-multipart message (directly, from boundary, so no HTTP2 headers and such).

How can I get it to show in WS? I found the mime_multipart dissector, but cant get it working. When using a custom DLT_USER with "mime_multipart" it shows: dissector not found (WS ver 3.6.2) Also tried to call Dissector.get from a LUA script, but its not working.

Is there a way to do this?

Thanks.

edit retag flag offensive close merge delete

Comments

We have a custom PCAPNG EPB structure

What does "custom PCAPNG EPB structure"? The only things that can be customized in a pcapng Enhanced Packet Block are 1) you can add custom options or 2) add a local-use option (one with the uppermost bit set in the option type). You can't change the fixed portion of the EPB.

When using a custom DLT_USER

That's not "a custom PCAPNG EPB structure", that's a custom link-layer type, which can be used with pcap or pcapng files. Is that what you mean - you are using a DLT_USER value (or, rather, a LINKTYPE_USER value) in the Interface Description Block for the interface on which the EPB arrived?

Guy Harris gravatar imageGuy Harris ( 2023-06-21 08:28:50 +0000 )edit

Yes, I meant to say, that the link-layer type is a custom value (DLT_USER). The EPB structure is fixed of course.

lacirta3@freemail.hu gravatar image[email protected] ( 2023-06-21 11:12:25 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-06-22 06:45:18 +0000

Guy Harris gravatar image

When using a custom DLT_USER with "mime_multipart" it shows: dissector not found

That's because Wireshark didn't find a dissector named "mime_multipart".

It failed to find it because there is no dissector in Wireshark 3.6.x or 4.0.x named "mime_multipart".

There is a dissector for multipart/ media types, but, in all current Wireshark releases, it has no name, so the only way it gets called is if there's data that's identified by some other protocol in the packet as having a media type of multipart/<something>; there's no way to explicitly say "hand this to the multipart/ media type dissector".

The only ways to do that would either be to 1) wait for Wireshark 4.2, in which that dissector has a name ("mime_multipart"), or 2) use a "bleeding edge" Wireshark build from the "automated builds" area, where there are source code trees under "src" (which you will have to build yourself) and 32-bit Windows, 64-bit Windows, and macOS x86-64 and ARM64 builds under "win32", "win64", and "osx", respectively.

If you go with 2), you're living on the bleeding edge, so you may get buggier behavior than with an official release.

edit flag offensive delete link more

Comments

Okay, thank you for your answer. I'll try the bleeding edge for now, also 4.2 release should be near (Q4, 2023) according to lifecycle of WS.

Thanks, L.

lacirta3@freemail.hu gravatar image[email protected] ( 2023-06-22 07:10:57 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-06-21 06:45:34 +0000

Seen: 177 times

Last updated: Jun 22 '23