Ask Your Question
0

Dissector compatibility with various Wireshark versions

asked 2025-09-16 09:22:27 +0000

Unknown user gravatar image

Trying to implement a dissector for Wireshark I faced trouble displaying my protocol name in COL_PROTOCOL column. Turned out the reason was that COL_PROTOCOL value passed to col_set_str was different from what my particular Wireshark version expected: Wireshark was 4.4.9 while API headers were for 4.7.something, and a new COL_* constant was added between the two versions.

As far as I could google, compatibility for plugins between various Wireshark versions is not guaranteed (and for the COL_* constants it is actually stated right in the source code that the values WILL change). This, however, poses a question.

Does that actually mean that for every user willing to view our protocol dissected (like a few dozens of them all over the country using different Wireshark versions) we’ll have to provide separate DLLs that should match particular user’s Wireshark version while being exactly the same inside? What’s even worse, the plugin is going to share the source code with software actually implementing the protocol, and the software is written in a different programming language than any of Wireshark-supported ones, so this basically means diffing every Wireshark version source code looking for possible inconsistencies introduced.

What actually is the Wireshark policy about this?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2025-09-16 09:44:37 +0000

grahamb gravatar image

The policy is as noted, there is no guaranteed compatibility between versions, the project team do attempt to maintain compatibility within a release, e.g. 4.4.x.

The simplest way to manage this is to submit dissectors to the Wireshark project as a "C" built-in dissector and the Wireshark team will test and maintain things for you and, as a bonus, users will not have to guess which version of the plugin DLL they need.

If you want to keep the dissector as a separate project then the maintenance burden falls on you.

You should also take note of the Wireshark licence (https://www.gnu.org/licenses/old-lice...) and if distributing plugins to external users, ensure you comply with the licence, in particular availability of source code.

edit flag offensive delete link more

Comments

...and bear in mind that, if "DLL" means "Windows DLL", providing only a Windows DLL means that users on, for example, Linux or macOS won't be able to use your dissector.

Guy Harris gravatar imageGuy Harris ( 2025-09-16 19:00:48 +0000 )edit

Since the protocol is used for sensitive tasks related to public safety, I doubt making pieces of it publicly available by adding its dissector to official Wireshark sources is a way to go. Not to mention C implementation will then either always be out-of-date or take additional time to support. So, I guess, we’ll have to stick to diffing Wireshark sources. Distribution within the departments of the same organization looks complying to GPL, although noone will ever actually want to see the sources.

Linux and MacOS support is not needed for the project anyway, so, luckily, that’s not a problem.

Still, it somehow feels wrong that some pretty basic stuff like column IDs is so volatile between versions. Mapping API values to internal values (if needed) looks like an easy and obvious thing to do, preventing breaking changes in minor versions at least :-(

Unknown user gravatar imageUnknown user ( 2025-09-17 08:07:26 +0000 )edit

If you can think of improvements, merge requests can be added at our Git Lab instance: https://gitlab.com/wireshark/wireshar...

grahamb gravatar imagegrahamb ( 2025-09-17 16:40:07 +0000 )edit

If all users are using windows why not use the latest wireshark release + plugin or distribute complete installer.

Anders gravatar imageAnders ( 2025-09-23 09:43:31 +0000 )edit

@Anders Although the users are from the same organization, the departments are distributed geographically and have various computer configurations as well as own service teams each. So, while theoretically possible, actually making them all use latest releases is quite a complex task. This makes me afraid of the versioning hell: the last thing I’m willing to investigate is when incompatible versions of the DLL and the Wireshark itself meet. It was even painful to debug now, within a single developer’s computer, knowing all possible causes. After a few releases with breaking changes this might become a real nightmare.

Unknown user gravatar imageUnknown user ( 2025-10-14 09:43:43 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-09-16 09:22:27 +0000

Seen: 5,848 times

Last updated: Sep 16

Related questions

how to decode part of a message as IPv4 with a custom dissector?

build errors. First time cmake user

How can I make my custom packet dissector distributable?

custom C/C++ plugin will not load - no indication why

unable to add a plugin to wireshark

Custom Plugin not showing for wireshark group user but showing non-wireshark group user

Ignoring false bytes in tvb

compile plugin with call to conversation_set_port2()

how to invert two bytes in lua script dissector ?

How do I get and display packet data information at a specific byte from the first byte?