I needed to read a unsupported file structure and protocol into Wireshark.  I 
did this by creating a plugin that registered the necessary routines to read a 
file and determine if the file was the one I needed.  

1st - register with wtap:

/* register with wtap */
void wtap_register_mst(void) {
    static struct file_type_info fi = { 
        "My PROTOCOL File",        /* name */
        "mst_file",            /* short name */
        "*.*",                 /* file extensions */
        NULL,                 /* file extension default */
        FALSE,                 /* writing seek must */
        FALSE,                /* has name resolution */
        NULL,                /* can write this type of file encap? */
        NULL                /* function to open for writing */
    };
    wtap_register_open_routine(myproto_open, TRUE);
    encap_mst_file = wtap_register_encap_type("My PROTOCOL FILE", 
"myproto_file");
    wf_myproto_file = wtap_register_file_type(&fi);
}

As you see, you need a open routine (myproto_open).  The open routine 
determines of the file is of the flavor you are looking for, if so it created a 
file structure used by Wireshark.

int myproto_open(wtap *wth, int *err, gchar **err_info _U_) {
    /* open routine.  First determine if it is a myproto file. */
    /* The open_file_* routines should return:
        -1 on an I/O error;
        1 if the file they're reading is one of the types it handles;
        0 if the file they're reading isn't the type they're checking for.
    If the routine handles this type of file, it should set the "file_type"
    field in the "struct wtap" to the type of the file. */
    if (!(myproto_check_file(wth, err))) {
        if (*err == 0) {
            return 0;
        }
        else {
            return -1;
        }
    }

    /* point to 1st line */
    if(file_seek(wth->fh,0, SEEK_SET, err) == -1) {
        return -1;
    }
    
    wth->data_offset = 0;
    wth->file_encap = WTAP_ENCAP_USER15; /* encap type to use if save as pcap 
file */
    wth->file_type = WTAP_ENCAP_USER15;
    wth->subtype_read = myproto_read;    /* routines to go for reading and 
seeking */
    wth->subtype_seek_read = myproto_seek_read;
    wth->snapshot_length = 0;    /* not known */
    wth->tsprecision = WTAP_FILE_TSPREC_CSEC;

    return 1;
}

As an FYI, to get the plungin's wtap routines to register, I had to modify the 
local Makefile.am for plugin.c to look for the wtap register routine (only for 
the Python build which I am using)

plugin.c: $(DISSECTOR_SRC) $(top_srcdir)/tools/make-dissector-reg \
    $(top_srcdir)/tools/make-dissector-reg.py
    @if test -n "$(PYTHON)"; then \
        echo Making plugin.c with python ; \
        $(PYTHON) $(top_srcdir)/tools/make-dissector-reg.py $(srcdir) \
            plugin_wtap $(DISSECTOR_SRC) ; \
    else \
        echo Making plugin.c with shell script ; \
        $(top_srcdir)/tools/make-dissector-reg $(srcdir) \
            $(plugin_src) plugin_wtap $(DISSECTOR_SRC) ; \
    fi

Examples of these functions can be found in the wiretap directory.  Best of luck

Alex Lindberg

--- On Sat, 3/3/12, ashish goel <ashish.kumar.go...@gmail.com> wrote:

From: ashish goel <ashish.kumar.go...@gmail.com>
Subject: Re: [Wireshark-dev] How can I register a link layer protocol?
To: "Developer support list for Wireshark" <wireshark-dev@wireshark.org>
Date: Saturday, March 3, 2012, 12:30 PM

Hi Armando,

Have you checked if your protocol is registered or not. One way to check this 
is to type your protocol's name in Wireshark's Display Filter textbox, the 
textbox's background should turn green.

If your protocol is registered and it is not showing as valid protocol while 
adding to DLT_User encapsulation table then DLT_user file might have been 
corrupted.
Try creating a new workspace and implement your changes into that. It should 
work.


2012/3/3 Armando Vázquez <avr...@gmail.com>

Thanks ashis!
When I tried this my protocol does not show up as a valid protocol, why is 
that? I tried using my dissector for the header protocol, but it should also 
disscet 2 trailer bytes, does that represent a problem ? What should I put in 
the header size field?



Besides, I've read that using the GUI and editing the DLT_User is the same as 
using the function dissector_add_uint(), am I right? If so, why isn't working? 
should I change something else in pcap-common.c or wtap.c or wtap.h?




Armando Vázquez Ramírez



On Sat, Mar 3, 2012 at 6:27 AM, ashish goel <ashish.kumar.go...@gmail.com> 
wrote:



Hi Armando,
The is a way you can do it through wireshark GUI. Go to preferences -> 
protocols -> DLT_User. Here click on edit and add your protocol on any of the 
User DLTs(147 - 162). But make sure that that the pcap file you are using must 
have defined the same DLT value in its global header.




Hope this helps.

Thanks,Ashish
2012/3/2 Armando Vázquez <avr...@gmail.com>




Hi guys,
I've read the developers guide, README.developer, wiretap plugin wiki and found 
no answer. Here is my problem. I'm trying to use Wireshark for dissecting a 
pcap capture of a protocol that it's not currently defined in wireshark. So I 
started writing a plugin, but I haven't been able to declare or register this 
dissector so it is enabled as a link layer dissector. I need to achieve this 
because this is not a internet protocol, so I need to identify it in this layer.






I've already read this dev-topic 
(http://www.mail-archive.com/wireshark-dev@wireshark.org/msg05931.html) but I 
didn't understand it well.






The dissection part works fine, I've tested it using a pcap and nesting it on 
top of TCP. I would really appreciate your help. 
Also I've added in wtap.h






#define WTAP_ENCAP_MYPROTOCOL                                                   
147
and in wtap.c
static struct encap_type_info encap_table_base[] = {

...{ "RESERVED 138", "res0" },  { "RESERVED 139", "res1" },     { "RESERVED 
140", "res2" },





        { "RESERVED 141", "res3" },     { "RESERVED 142", "res4" },

        { "RESERVED 143", "res5" },     { "RESERVED 144", "res6" },

        { "RESERVED 145", "res7" },     { "RESERVED 146", "res8" },


        /* WTAP_ENCAP_MYPROTOCOL*/      { "MY PROTOCOL, "myprotocol" }

};
Here are the register and handoff sections of my code

----------------------------------------------------------------------------------





void proto_register_myprotocol (void){...
myprotocol_dissector_table = register_dissector_table("myprotocol.proto","ACN 
protocol number", FT_UINT8, BASE_HEX);





                        proto_register_field_array (proto_myprotocol, hf, 
array_length (hf));   proto_register_subtree_array (ett, array_length (ett));





        register_dissector("myprotocol", dissect_myprotocol, proto_myprotocol);}
void proto_reg_handoff_myprotocol(void)





{
                data_handle = find_dissector("data");           
myprotocol_handle = create_dissector_handle(dissect_myprotocol, 
proto_myprotocol);





                
dissector_add_uint("wtap_encap", WTAP_ENCAP_MYPROTOCOL, myprotocol_handle);     
        dissector_add_uint("tcp.port", 
global_myprotocol_port, myprotocol_handle); // Registering this on top of TCP 
was only to develop the dissection part, this won't be present in the release 
version







}
----------------------------------------------------------------------------------
This document is strictly confidential and intended only for use by the 
addressee unless otherwise stated.  If you are not the intended recipient,  
please notify the sender immediately and delete it from your system.

___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>

Archives:    http://www.wireshark.org/lists/wireshark-dev

Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe





-- 
Thanks,
Ashish





___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>

Archives:    http://www.wireshark.org/lists/wireshark-dev

Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe



___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>

Archives:    http://www.wireshark.org/lists/wireshark-dev

Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe



-- 
Thanks,
Ashish



-----Inline Attachment Follows-----

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to