Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Seeking Example for Protocol Encapsulating IPv4

I am attempting to write a dissector for a protocol that fully encapsulates IPv4, and optionally encapsulates eithernet/ipv4 as well. This protocol attaches two headers that precede the (ethernet)/IPv4 headers. Let's call these headers Foo and Foo2.

Foo is 40 bits (5 bytes) long, Foo2 is 8 bits (1 byte) long, and I have coded a device that receives standard ethernet/IPv4 packets and will encapsulate them by adding Foo and Foo2 to the top of the header stack. So, assuming ethernet is present, the order of headers that should be dissected is as follows:

  1. Foo
  2. Foo2
  3. Ethernet
  4. Ipv4

There is no designated special port for this encapsulation - it happens to all standard ethernet/IPv4 traffic received on one device and is removed by a different device later. Again, simplifying, let's say I want to parse both Foo and Foo2 and show the fields. Let's say Foo2 has two fields, a 2 bit field and a six bit field - we can call those bar and bar2.

Looking at the example from https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html I see how you could write a Foo protocol that didn't do encapsulation. I don't quite yet fully understand that example, but I can probably, given some more time, understand how to get things recognized for Foo and Foo2, but the big piece that I'm missing is how I can hand dissection off to the built-in ethernet or IPV4 dissectors once Foo2 is dissected.

Additionally, it's unclear to me how to enable this properly in wireshark itself, as when using "Decode As" I don't see any options that I could use to filter by this that make sense. For example, right now, I have a decoder plugin that works for a much more complicated version of the protocol. Wireshark is currently ignoring my subset of that (Foo/Foo2) and parsing the new protocol headers as if they were ethernet, which leads to strange results (wrong source, wrong destination, wireshark stopping dissection as soon as it hits what it thinks is IPV4 because of bogus IPV4 version)

I tried to use decode as, but the options I can use don't seem to have any options I could make use of given that the port is the same and the options should precede ethernet/ipv4 and don't match any built-in protocols. I know that the protocol dissector is enabled, because if I look into the Manage Protocols menu I can see the custom packet type is enabled.

Seeking Example for Protocol Encapsulating IPv4

I am attempting to write a dissector for a protocol that fully encapsulates IPv4, and optionally encapsulates eithernet/ipv4 as well. This protocol attaches two headers that precede the (ethernet)/IPv4 headers. Let's call these headers Foo and Foo2.

Foo is 40 bits (5 bytes) long, Foo2 is 8 bits (1 byte) long, and I have coded a device that receives standard ethernet/IPv4 packets and will encapsulate them by adding Foo and Foo2 to the top of the header stack. So, assuming ethernet is present, the order of headers that should be dissected is as follows:

  1. Foo
  2. Foo2
  3. Ethernet
  4. Ipv4

There is no designated special port for this encapsulation - it happens to all standard ethernet/IPv4 traffic received on one device and is removed by a different device later. Again, simplifying, let's say I want to parse both Foo and Foo2 and show the fields. Let's say Foo2 has two fields, a 2 bit field and a six bit field - we can call those bar and bar2.

Looking at the example from https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html I see how you could write a Foo protocol that didn't do encapsulation. I don't quite yet fully understand that example, but I can probably, given some more time, understand how to get things recognized for Foo and Foo2, but the big piece that I'm missing is how I can hand dissection off to the built-in ethernet or IPV4 dissectors once Foo2 is dissected.

Additionally, it's unclear to me how to enable this properly in wireshark itself, as when using "Decode As" I don't see any options that I could use to filter by this that make sense. For example, right now, I have a decoder plugin that works for a much more complicated version of the protocol. Wireshark is currently ignoring my subset of that (Foo/Foo2) and parsing the new protocol headers as if they were ethernet, which leads to strange results (wrong source, wrong destination, wireshark stopping dissection as soon as it hits what it thinks is IPV4 because of bogus IPV4 version)

I tried to use decode as, but the options I can use don't seem to have any options I could make use of given that the port is the same and the options should precede ethernet/ipv4 and don't match any built-in protocols. I know that the protocol dissector is enabled, because if I look into the Manage Protocols menu I can see the custom packet type is enabled.

EDIT: Getting it to recognize the protocol needed a combination of editcap and setting up recognition for the protocol on the DLT_USER table under Edit -> Preferences -> Protocol as suggested by Chuckc and discussed in the coments under that answer. Will do an EDIT 2 if/when the part about '[handing] dissection off to the built-in ethernet or IPv4 dissectors" is answered.