Ask Your Question
0

Dissector plugin dissector_add clarification

asked 2018-06-28 19:28:00 +0000

karkee gravatar image

updated 2018-06-28 19:46:05 +0000

Jaap gravatar image

I am trying to write my very first dissector plugin, and I'm unsure about the first parameter of dissector_add_uint. The function is referenced in both the Wireshark Developer’s Guide and the packet-PROTOABBREV.c / README.dissector files. However, I'm not sure how to know what to choose for the first parameter (given in examples as "udp.port" and "tcp.port"). I am writing a dissector for a protocol that is not related to a standard protocol. Wireshark will receive that packet data either from a file or the computer's USB port via UART/USB serial. Any additional information about how to know what goes in this parameter is welcome. Thank you for your help.

Here is the function: dissector_add_uint( "udp.port", FOO_port, foo_handle );

edit retag flag offensive close merge delete

Comments

I am writing a dissector for a protocol that is not related to a standard protocol. Wireshark will receive that packet data either from a file

From what type of file? Is it a type of file already readable by Wireshark, or is this a new type of file?

or the computer's USB port via UART/USB serial.

So do you mean that you'll be capturing on the USB port, on a platform where Wireshark can capture incoming and outgoing USB traffic, and want to decode USB serial traffic, or do you mean that you will either be modifying libpcap/WinPcap to read from some USB serial device or making an extcap program to read from that USB serial device, so that it'll be reading a capture file written by dumpcap or the extcap program?

Guy Harris gravatar imageGuy Harris ( 2018-06-29 00:51:57 +0000 )edit

Most likely, it will be a .txt file with binary data. However, that could probably be changed if necessary.

We will be capturing data using a Teensy microcontroller. Then, that data will either be sent to a text file that will later by read by Wireshark or I will modify the Nordic nrfSniffer (extrap plugin) to allow Wireshark to directly interface with the Teensy through the USB port.

karkee gravatar imagekarkee ( 2018-06-29 05:17:28 +0000 )edit

Actually, per https://osqa-ask.wireshark.org/questi..., it looks like the file will need to be a .txt file with a hexdump to keep the .txt format (which I think would be most simple for the sniffer (the microcontroller)).

Currently, the plan is to initially set up Wireshark to read from a file. Then, after that is working, attempt to get Wireshark to interface directly with the microcontroller (via modifications to the Nordic nrfSniffer).

karkee gravatar imagekarkee ( 2018-06-29 16:25:00 +0000 )edit
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2018-06-29 17:36:31 +0000

Guy Harris gravatar image

You will need to add support, in libwiretap, for reading the text files containing the data.

This will include adding a new WTAP_ENCAP_ value, similar to the ones in wiretap/wtap.h, and having your dissector register for it with

dissector_add_uint( "wtap_encap", WTAP_ENCAP_FOO, foo_handle );
edit flag offensive delete link more
add a comment
0

answered 2018-06-28 19:54:09 +0000

Jaap gravatar image

This goes back to the core of packet dissection, and the inner working of the dissection engine. What it basically comes down to is that from some external source (being a network interface, through libpcap, or from a file, through libwiretap, etc) frames come in with a specified datalink layer type. From this DLT the determination is made to what dissector this frame is handed to first. Once this dissector has done its thing with the part of the frame it understands, it passes the rest of the frame onto the next dissector. But what is the next dissector? This is the dissector which registered itself as interested. This allows a chain of dissectors to be created.

As per the example, the FOO dissector is interested in UDP payloads from UDP packets on port FOO_port. It asks the rest of the frame to be passed to foo_handle().

So in your case what is the DLT of the frames coming in? What dissector is available for that DLT, and what dissector chaining options does it provide?

edit flag offensive delete link more

Comments

Thank you for your help! That is a helpful explanation of how that parameter is used.

How should I handle building the dissector if there isn't a DLT? The packets come in as a stream of 1s and 0s (they will be ported to the computer in either ASCII or binary form).

karkee gravatar imagekarkee ( 2018-06-28 23:22:52 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2018-06-28 19:28:00 +0000

Seen: 806 times

Last updated: Jun 29 '18

Related questions

how to invert two bytes in lua script dissector ?

How do I get and display packet data information at a specific byte from the first byte?

why protocol is not showing as HTTP even though we sent http request ?

Adjusting Bit order and Endianess in LUA between Dissectors

How do I add "child item" to an item in the subtree?

PRP Dissector and FCS

Use a UDP payload dissector depending on ip addresses

Reuse (part of) a Wireshark Dissector

Heuristic dissector not called

How do I dissect multiple packets?