This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark protocol definition capability

0

Subject: Wireshark protocol definition capability I have a question about using Wireshark to capture/decode what I would call application packets inside of TCP or UDP packets. I am working on an enterprise messaging protocol standard that would use the TCP or UDP data payload to transport structured messages between any number of servers. I'm anticipating that if Wireshark can support filter captures of this kind of enterprise messaging that enterprise conversations might be able to be captured and decoded. By decoded, I am making an assumption that there is a facility within Wireshark to define the structured data protocol and on display after capture to have it decoded in terms of what named data fields have for data content.

Can you define structured data packets like I know Wireshark must have definitions of encapsulaed headers for different Internet protocols, etc?

Appreciate any reply and pointers to guide me in the right direction. Thanks.

Don Johnston University of Illinois

asked 13 Sep '13, 14:00

dljohnst's gravatar image

dljohnst
1111
accept rate: 0%


2 Answers:

0

What you are describing sounds to me like you're interested in writing a Wireshark dissector. You might want to start with the Wireshark Developer's Guide.

And be sure to also read the various README files in the top-level and doc/ directories, particularly doc/README.developer and doc/README.dissector.

answered 13 Sep '13, 14:15

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

0

As the answer from @cmaynard states, you are looking at creating a dissector for your protocol. There are a few options for doing this:

  1. Using a text description of your protocol with WSGD.
  2. Using a scripting language built-in to Wireshark, e.g. Lua.
  3. Writing a C dissector, possibly as a plug-in.

All three options were discussed in my presentation at SharkFest '13, Writing a Wireshark Dissector.

answered 13 Sep '13, 16:01

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Should the developer's guide be updated to mention WSGD, Lua and even the ptvcursor API? And then there's MATE. And pyreshark.

(14 Sep '13, 16:10) cmaynard ♦♦

All good candidates for listing somewhere. Maybe a wiki page as well.

(15 Sep '13, 01:15) grahamb ♦