Re: [Wireshark-dev] Use of wireshark to interpret input data that does not depend on any other existing protocols
Guys, Thank You very much for the help and suggestions. It really helped me figure out the problem and the solution to it. I carried out the following steps to define a custom dissector that does not depend or run on top of any existing protocol. Please note these steps are only for local development and these changes should not be checked in as it involves defining a new mapping for a protocol in the encapsulation table(mapping of a new protocol to a new link_layer_id). 1. Define a macro in the Wtap.h header file for the new protocol. ... #define WTAP_ENCAP_LAPD 131 #define WTAP_ENCAP_DVBCI132 #define WTAP_ENCAP_protocol 133//macro for new protocol. .. ... 2. Define a new mapping for the new protocol to a new link_layer_id in the Pcap-common.c file in the pcap_to_wtap_map[] array of structures. ... ... { 230, WTAP_ENCAP_IEEE802_15_4_NOFCS }, /* DVB-CI (Common Interface) */ { 235, WTAP_ENCAP_DVBCI }, /* New protocol */ { 240, WTAP_ENCAP_protocol},// mapping for new protocol to a link_layer_type value=240. /* * To repeat: * * If you need a n .. In my case, I have associated my new protocol with link_layer_id=240. NOTE:Please note if you plan to check in the code and want your protocol to be a part of Wireshark releases then send a mail to tcpdump-work...@lists.tcpdump.org, asking for a new DLT_ value, and specifying the purpose of the new value. When you get the new DLT_ value, use that numerical value in the "dlt_value" field of "pcap_to_wtap_map[]". 3.Create an entry in the encap_table_base[] array of structures supplying the name and short name for the new protocol in the Wtap.c file. ... ... /* WTAP_ENCAP_LAPD */ { "Lapd header", "lapd" }, /* WTAP_ENCAP_DVBCI */ { "DVB-CI (Common Interface)", "dvbci"}, /*WTAP_ENCAP_protocol*/ {"Protocol_name","Protocol_short_name"} }; gint wtap_num_encap_types = sizeof(encap_table_base) / sizeof(struct encap_type_info); static GArray* encap_table_arr = NULL; ... ... 4. You can generate the required .pcap file from input text file with appropriate header information specific to your protocol by using the text2pcap utility that comes with the Wireshark installation: ./text2pcap -l 240 input.txt output.pcap 5. Rebuild the Wireshark source code and install it. Copy the plugin (protocol.dll) for your protocol specific dissector in the plugins directory and restart wireshark. Mrunal From: Mrunal Upadhyay Sent: Thursday, April 21, 2011 1:20 AM To: 'wireshark-dev@wireshark.org' Subject: Use of wireshark to interpret input data that does not depend on any other existing protocols Hi All, I am adding a new protocol to wireshark that does not rely or depend on any other protocols(tcp, udp, ethernet,ppp,etc). I will be thankful if anyone can help me understand the following things: 1. I have written the protocol dissector for my unique protocol. But how do I differentiate the input packets in .pcap file so that only my protocol dissector gets called to process the data? And how can I add uniqueness to the input data stream to customize it to my protocol. Is the protocol identified by means of some common pattern in the input stream of bytes .If that is the case, how can I do that? 2. What is the difference between the dissector table and encapsulation table. I have understood how the protocol dissector encodes the input data and display it in a tree based on the formatting defined by static arrays ett and hf. What all steps I need to perform in order to write a protocol dissector that does not depend on any existing protocols and customize the input data in pcap file so that my protocol dissector gets called only when it comes across correct input data. Mrunal ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Use of wireshark to interpret input data that does not depend on any other existing protocols
Martin Kaiser wrote: Thus wrote Mrunal Upadhyay (m.upadh...@sta.samsung.com): 1. I have written the protocol dissector for my unique protocol. But how do I differentiate the input packets in .pcap file so that only my protocol dissector gets called to process the data? And how can I add uniqueness to the input data stream to customize it to my protocol. Is the protocol identified by means of some common pattern in the input stream of bytes .If that is the case, how can I do that? you have a data link type (DLT) in the .pcap file (http://www.tcpdump.org/linktypes.html) In wireshark, you map this DLT value to a WTAP_xxx value in pcap_to_wtap_map[]. This requires getting a DLT value assigned by the folks at tcpdump.org . If you're just experimenting or only going to be using your dissector yourself then you might also consider using one of the "user" DLT values: http://wiki.wireshark.org/HowToDissectAnything ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Use of wireshark to interpret input data that does not depend on any other existing protocols
Thus wrote Mrunal Upadhyay (m.upadh...@sta.samsung.com): > 1. I have written the protocol dissector for my unique protocol. But > how do I differentiate the input packets in .pcap file so that only my > protocol dissector gets called to process the data? And how can I add > uniqueness to the input data stream to customize it to my protocol. Is > the protocol identified by means of some common pattern in the input > stream of bytes .If that is the case, how can I do that? you have a data link type (DLT) in the .pcap file (http://www.tcpdump.org/linktypes.html) In wireshark, you map this DLT value to a WTAP_xxx value in pcap_to_wtap_map[]. In your dissector, you call dissector_add_uint() to register your dissector for your WTAP_xxx. And you should check all incoming data to make sure that it's actually your protocol. You can take the DVB-CI dissector (any many others) as an example. ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Use of wireshark to interpret input data that does not depend on any other existing protocols
Hi All, I am adding a new protocol to wireshark that does not rely or depend on any other protocols(tcp, udp, ethernet,ppp,etc). I will be thankful if anyone can help me understand the following things: 1. I have written the protocol dissector for my unique protocol. But how do I differentiate the input packets in .pcap file so that only my protocol dissector gets called to process the data? And how can I add uniqueness to the input data stream to customize it to my protocol. Is the protocol identified by means of some common pattern in the input stream of bytes .If that is the case, how can I do that? 2. What is the difference between the dissector table and encapsulation table. I have understood how the protocol dissector encodes the input data and display it in a tree based on the formatting defined by static arrays ett and hf. What all steps I need to perform in order to write a protocol dissector that does not depend on any existing protocols and customize the input data in pcap file so that my protocol dissector gets called only when it comes across correct input data. Mrunal ___ Sent via:Wireshark-dev mailing list Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe