Ask Your Question

How to leave only the dissectors of signaling protocols?

asked 2019-01-31 13:54:30 +0000

mefisto.fels gravatar image

updated 2019-01-31 14:49:45 +0000

cmaynard gravatar image

I have already built full versions of wireshark, but I need to make one that only interprets the signaling protocols for GSM mobile communications and IP telephony. I must also modify the capture so that it never stops, I guess that to achieve this I must modify the buffers but I have no idea how to do it until now if you could help me with this I would also appreciate it.

edit retag flag offensive close merge delete


Why not use tcpdump, which doesn't have all the extra dissectors, to make the captures?

grahamb gravatar imagegrahamb ( 2019-01-31 14:25:48 +0000 )edit

Or dumpcap, which is cross-platform. You could even use tshark too, which is also cross-platform, and in theory could also be used to capture "To Infinity and Beyond!"; however, I still prefer to use dumpcap for long-term capturing.

cmaynard gravatar imagecmaynard ( 2019-01-31 14:49:24 +0000 )edit

Actually, I need to create an UI that returns a file with the dissection information that I request. but that does not compromise the processing speed so as not to affect the capture. I'm going to explore the functionalities of the modules that you mention, but I wanted to see if there is a way to use the dissectors that I want before the compilation, to lighten the processing load.

mefisto.fels gravatar imagemefisto.fels ( 2019-01-31 18:02:10 +0000 )edit

Note that if your capture traffic doesn't include packets for other dissectors, then they won't be doing anything apart from taking up some memory.

If you can externally limit traffic to your capture device, or concoct a capture filter that limits the captured traffic to that which you require, then you will have reduced the load considerably.

grahamb gravatar imagegrahamb ( 2019-01-31 20:04:38 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2019-01-31 15:33:11 +0000

cmaynard gravatar image

updated 2019-02-09 03:38:52 +0000

If you want to remove dissectors from Wireshark, then for each dissector you no longer want to be included with Wireshark, you'll have to reverse the process for adding a dissector as described in README.dissector and README.plugins.

For the built-in dissectors, this is a rather simple matter (at least in theory but doesn't account for dependencies if you remove a dissector that another one depends on) that basically involves removing the unwanted dissector(s) from the DISSECTOR_SRC. It's a little more involved to remove plugins, so refer to the README.plugins file for all the details.

Of course if you also want to remove pidl and/or asn1 dissectors, then you'll have to remove those dissectors from the PDL_DISSECTOR_SRC and/or ASN1_DISSECTOR_SRC, but it might be more involved than that. There are no README.pidl or README.asn1 files to go by; however there are the Pidl and Asn2wrs wiki pages, which may be of some help here.

As for continuously capturing, as mentioned in the comments to the question, your best bet is probably just to use dumpcap, tshark or tcpdump.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2019-01-31 13:54:30 +0000

Seen: 55 times

Last updated: Feb 09