[Wireshark-dev] How can I register a link layer protocol?
Hi guys, I've read the developers guide, README.developer, wiretap plugin wiki and found no answer. Here is my problem. I'm trying to use Wireshark for dissecting a pcap capture of a protocol that it's not currently defined in wireshark. So I started writing a plugin, but I haven't been able to declare or register this dissector so it is enabled as a link layer dissector. I need to achieve this because this is not a internet protocol, so I need to identify it in this layer. I've already read this dev-topic ( http://www.mail-archive.com/wireshark-dev@wireshark.org/msg05931.html) but I didn't understand it well. The dissection part works fine, I've tested it using a pcap and nesting it on top of TCP. I would really appreciate your help. Also I've added in wtap.h #define WTAP_ENCAP_MYPROTOCOL 147 and in wtap.c static struct encap_type_info encap_table_base[] = { ... { RESERVED 138, res0 }, { RESERVED 139, res1 }, { RESERVED 140, res2 }, { RESERVED 141, res3 }, { RESERVED 142, res4 }, { RESERVED 143, res5 }, { RESERVED 144, res6 }, { RESERVED 145, res7 }, { RESERVED 146, res8 }, /* WTAP_ENCAP_MYPROTOCOL*/ { MY PROTOCOL, myprotocol } }; Here are the register and handoff sections of my code -- void proto_register_myprotocol (void) { ... myprotocol_dissector_table = register_dissector_table(myprotocol.proto,ACN protocol number, FT_UINT8, BASE_HEX); proto_register_field_array (proto_myprotocol, hf, array_length (hf)); proto_register_subtree_array (ett, array_length (ett)); register_dissector(myprotocol, dissect_myprotocol, proto_myprotocol); } void proto_reg_handoff_myprotocol(void) { data_handle = find_dissector(data); myprotocol_handle = create_dissector_handle(dissect_myprotocol, proto_myprotocol); dissector_add_uint(wtap_encap, WTAP_ENCAP_MYPROTOCOL, myprotocol_handle); dissector_add_uint(tcp.port, global_myprotocol_port, myprotocol_handle); // Registering this on top of TCP was only to develop the dissection part, this won't be present in the release version } -- This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Application Supportability
Hello, please check http://www.wireshark.org/download.html for answers. If there are specific questions left after reading that page, please ask these specifically. Sending a huge questionaire with lots of questions that are unrelated to Wireshark looks like lazyness. Also this question should not have been sent to the Wireshark development list but the the Wireshark users list. Ciao Jörg On Thu, Mar 01, 2012 at 03:54:40PM +, Supportability wrote: html xmlns:v=urn:schemas-microsoft-com:vml xmlns:o=urn:schemas-microsoft-com:office:office xmlns:w=urn:schemas-microsoft-com:office:word xmlns:m=http://schemas.microsoft.com/office/2004/12/omml; xmlns=http://www.w3.org/TR/REC-html40; head meta http-equiv=Content-Type content=text/html; charset=us-ascii meta name=Generator content=Microsoft Word 14 (filtered medium) !--[if !mso]stylev\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} /style![endif]--style!-- /* Font Definitions */ @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} @font-face {font-family:Verdana; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:11.0pt; font-family:Calibri,sans-serif; mso-fareast-language:EN-US;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p.MsoAcetate, li.MsoAcetate, div.MsoAcetate {mso-style-priority:99; mso-style-link:Balloon Text Char; margin:0cm; margin-bottom:.0001pt; font-size:8.0pt; font-family:Tahoma,sans-serif; mso-fareast-language:EN-US;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; margin-top:0cm; margin-right:0cm; margin-bottom:0cm; margin-left:36.0pt; margin-bottom:.0001pt; font-size:11.0pt; font-family:Calibri,sans-serif; mso-fareast-language:EN-US;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:Calibri,sans-serif; color:windowtext;} span.BalloonTextChar {mso-style-name:Balloon Text Char; mso-style-priority:99; mso-style-link:Balloon Text; font-family:Tahoma,sans-serif;} .MsoChpDefault {mso-style-type:export-only; font-family:Calibri,sans-serif; mso-fareast-language:EN-US;} @page WordSection1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:1893885908; mso-list-type:hybrid; mso-list-template-ids:87742050 134807553 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;} @list l0:level1 {mso-level-number-format:bullet; mso-level-text:\F0B7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Symbol;} @list l0:level2 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Courier New;} @list l0:level3 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Wingdings;} @list l0:level4 {mso-level-number-format:bullet; mso-level-text:\F0B7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Symbol;} @list l0:level5 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Courier New;} @list l0:level6 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Wingdings;} @list l0:level7 {mso-level-number-format:bullet; mso-level-text:\F0B7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Symbol;} @list l0:level8 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Courier
[Wireshark-dev] Frame comments in Microsoft Network Monitor
At http://www.sonic.net/~gharris/paul-clifford.tiff is a (570KB, so not attached) screenshot of a VMware Fusion Windows XP session with Network Monitor 3.4 open; I've added a comment to the currently-selected frame. The UI is the default for NetMon - packet summary pane above two panes, one with packet details and one with the comments for the current frame. The Edit toolbar button pops up a window in which you can edit the comment; Next Comment and Previous Comment go through the list of comments. (And, yes, the title of the comment does describe the contents of the comment, and, yes, I *did* make the entire contents of Edward Bulwer-Lytton's Paul Clifford be the description field of the comment - it's about a megabyte, so it's not going to fit into a pcap-NG comment. That's the second paragraph, by the way, and it rattles on for rather a long time after the infamous first clause The Description field in a NetMon comment is stored in RTF, so you can, at least, paste text with all sorts of fonts and paragraph types in it. It's not a required field, unlike the title, so you can just have a one-line comment in the title; the title is not rich text, it's just Unicode plain text.) ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] PCAP-NG files being corrupted by fuzz tester
The fuzz tester keeps failing with this file: /home/wireshark/menagerie/menagerie/6550-iPhone_connection_and_SSH_session.cap: ERROR Processing failed. Capture info follows: Output file: /dev/shm/buildbot/clangcodeanalysis/menagerie-fuzz/fuzz-2012-03-02-17845.pcap stderr follows: tshark: The file /dev/shm/buildbot/clangcodeanalysis/menagerie-fuzz/fuzz-2012-03-02-17845.pcap appears to be damaged or corrupt. (pcapng: interface index 1 is not less than interface count 1.) The source file itself is fine (well it no longer aborts for me after r41325), but running it through the fuzz tester fails every time. Looks like editcap needs some PCAPNG smarts to avoid corrupting the non-packet parts. (Or Wiretap needs to not give the non-packet parts to editcap.) ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] PCAP-NG files being corrupted by fuzz tester
On Mar 2, 2012, at 2:36 PM, Jeff Morriss wrote: The fuzz tester keeps failing with this file: /home/wireshark/menagerie/menagerie/6550-iPhone_connection_and_SSH_session.cap: ERROR Processing failed. Capture info follows: Output file: /dev/shm/buildbot/clangcodeanalysis/menagerie-fuzz/fuzz-2012-03-02-17845.pcap stderr follows: tshark: The file /dev/shm/buildbot/clangcodeanalysis/menagerie-fuzz/fuzz-2012-03-02-17845.pcap appears to be damaged or corrupt. (pcapng: interface index 1 is not less than interface count 1.) The source file itself is fine (well it no longer aborts for me after r41325), but running it through the fuzz tester fails every time. Looks like editcap needs some PCAPNG smarts to avoid corrupting the non-packet parts. (Or Wiretap needs to not give the non-packet parts to editcap.) ...or my recent changes to wiretap/pcapng.c broke something, or I'll try to look at that today. (BTW, why aren't the fuzz failures being turned into bugs?) ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] PCAP-NG files being corrupted by fuzz tester
On Mar 2, 2012, at 2:45 PM, Guy Harris wrote: On Mar 2, 2012, at 2:36 PM, Jeff Morriss wrote: The source file itself is fine (well it no longer aborts for me after r41325), but running it through the fuzz tester fails every time. Looks like editcap needs some PCAPNG smarts to avoid corrupting the non-packet parts. (Or Wiretap needs to not give the non-packet parts to editcap.) ...or my recent changes to wiretap/pcapng.c broke something, or Without fuzzing, editcap will mangle your test file when converted to pcap-NG, so it's not a question of editcap corrupting the non-packet parts. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Help with Bit Fields
I have a bit oriented message defined: Base NumBits bits Where Base defines a base value and NumBits determines the number of bits following (in byte groups). Each bit defines the state of the item # Base+Bit Number. I want to create a display that will have the Item Number when the tree is expanded like so, as an example, if the base is 11 then the 4th bit is item 14 so the output should be: ...1 = Item 14 ON How can this be done? Thanks a always. Alex Lindberg ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] PCAP-NG files being corrupted by fuzz tester
On Mar 2, 2012, at 3:04 PM, Guy Harris wrote: On Mar 2, 2012, at 2:45 PM, Guy Harris wrote: On Mar 2, 2012, at 2:36 PM, Jeff Morriss wrote: The source file itself is fine (well it no longer aborts for me after r41325), but running it through the fuzz tester fails every time. Looks like editcap needs some PCAPNG smarts to avoid corrupting the non-packet parts. (Or Wiretap needs to not give the non-packet parts to editcap.) ...or my recent changes to wiretap/pcapng.c broke something, or Without fuzzing, editcap will mangle your test file when converted to pcap-NG, so it's not a question of editcap corrupting the non-packet parts. Or, at least, not *intentionally* corrupting it as part of the fuzzing process. It does, however, appear to be a question of editcap not handling a file with multiple IDBs - it's calling pcap_dump_open(), not pcap_dump_open_ng(). Perhaps the offending file, which has two IDBs, is new to the menagerie, and no other files in the menagerie are pcap-NG files with more than one IDB, so we haven't bumped into this yet. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] PCAP-NG files being corrupted by fuzz tester
On 3/2/12 2:45 PM, Guy Harris wrote: (BTW, why aren't the fuzz failures being turned into bugs?) I disabled error reporting in preparation to migrate Bugzilla. Unfortunately it looks like that won't happen any time soon. They've been reenabled. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] PCAP-NG files being corrupted by fuzz tester
On Mar 2, 2012, at 4:08 PM, Guy Harris wrote: It does, however, appear to be a question of editcap not handling a file with multiple IDBs - it's calling pcap_dump_open(), not pcap_dump_open_ng(). Should be fixed as of rev 41328. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Err when using a pipe
Hi, I start wireshark from command line : sudo ./wireshark -k -i /tmp/pipe I have a capture dump in libpcap format which i wite into the pipe (/tmp/pipe) after starting wireshark. Everytime i do this wireshark displays the contents of the file but at the end it shows segmentation fault. The capture file is from my previous run of wireshark saved in libpcap format. Wireshark perfectly works with the same file when open though GUI. I am using wireshark 1.6.5 on linux. Could some one pls tell me why this behavior occurs? Thanks Vijay ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe