Kevin Jones wrote: > Is "dissector_add("ethertype", ETHERTYPE_ARP, arp_handle);" how you > register a dissector with a lower layer protocol?
Yes, that's how you'd register a dissector that has an Ethernet type; you'd replace "ETHERTYPE_ARP" with your Ethernet type, and replace "arp_handle" with a dissector handle for your dissector. You could just do my_handle = create_dissector_handle(my_protocol, my_dissector_function); and then pass "my_handle" to dissector_add() (you don't need to register your dissector with a name). > Also what are static hf_register_info hf[] = {...} and > proto_register_field_array(proto_arp, hf, array_length(hf)); for? Does > registering the info array give wireshark hints to help it find the > appropriate dissector to call? No, they have absolutely nothing to do with dissector handoffs. > Or does it just setup memory space to use > after the dissector gets called and while it's dissecting? Yes. In particular, the memory it sets up includes values for "named fields". If, for example, your dissector has a packet type field, you could have a "my.type" field, and use proto_tree_add_uint() or proto_tree_add_item() to put it into the protocol tree. You could then do, for example "my.type == 5" to have a display filter to find packets with a particular packet type. See doc/README.developer for a detailed discussion of named fields and of putting packet data into the protocol tree. _______________________________________________ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev