Kevin Jones wrote:
> Is "dissector_add("ethertype", ETHERTYPE_ARP, arp_handle);" how you
> register a dissector with a lower layer protocol?
Yes, that's how you'd register a dissector that has an Ethernet type;
you'd replace "ETHERTYPE_ARP" with your Ethernet type, and replace
"arp_handle" with a dissector handle for your dissector. You could just do
my_handle = create_dissector_handle(my_protocol, my_dissector_function);
and then pass "my_handle" to dissector_add() (you don't need to register
your dissector with a name).
> Also what are static hf_register_info hf[] = {...} and
> proto_register_field_array(proto_arp, hf, array_length(hf)); for? Does
> registering the info array give wireshark hints to help it find the
> appropriate dissector to call?
No, they have absolutely nothing to do with dissector handoffs.
> Or does it just setup memory space to use
> after the dissector gets called and while it's dissecting?
Yes. In particular, the memory it sets up includes values for "named
fields". If, for example, your dissector has a packet type field, you
could have a "my.type" field, and use proto_tree_add_uint() or
proto_tree_add_item() to put it into the protocol tree. You could then
do, for example "my.type == 5" to have a display filter to find packets
with a particular packet type.
See doc/README.developer for a detailed discussion of named fields and
of putting packet data into the protocol tree.
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
