Wireshark · Ethereal-dev: Re: [Ethereal-dev] non-ethernet use of ethereal

Ethereal-dev: Re: [Ethereal-dev] non-ethernet use of ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Mon, 13 Sep 2004 11:23:04 -0700

Ray Rizzuto wrote:

I would like to create a disector that will decode packets that have NOethernet or IP headers. My disector will decode a proprietary linklevel, then make use of existing disectors to decode the payload. Isthis possible?

Yes. We certainly support link layers other than Ethernet, and supportprotocols running atop Ethernet - or other link layers - other than IP.

Any hints on where to get started?

For starters, you will have to be able to read some capture file formatthat encapsulates your packets.

If you're not using an existing capture file format, you will have toadd to Wiretap (the library Ethereal, Tethereal, etc. use to read andwrite capture files; it's in the "wiretap" subdirectory of the source)the ability to read that file format, if it's not a format it already reads.

If your link-layer protocol is the lowest-layer protocol that will be inthe capture file, you will need a WTAP_ENCAP value to "wiretap/wtap.h"for that type, and will need to have the code in Wiretap that readsyour capture files recognize captures with your protocol and use thatencapsulation type. Note that if this is going to be a private versionof Ethereal not supplied outside your organization, you can use one ofthe WTAP_ENCAP_USER{N} types - they were added specifically for thispurpose, i.e. private encapsulation types. If you'll be making yourchanges to Ethereal publicly available, you should add a new WTAP_ENCAPvalue, and send your changes to us to make them part of the standardEthereal release.

You will then make your dissector for your protocol register itself asthe handler for that WTAP_ENCAP value with a call to "dissector_add()",using "wtap_encap" as the dissector table name and the WTAP_ENCAP valuename as the value. See other calls to "dissector_add()" for examples.

If your protocol *isn't* the lowest-layer protocol, you'd have toarrange that your dissector be called by the dissector for the protocolbelow it. How that'd be done depends on that dissector; it might bepossible to have your dissector register itself as the handler for somevalue.

Your dissector would then have to arrange to call dissectors for theprotocol running atop it. We'd have to know how that'd be done - forexample, if there's a "protocol type" value in your link-layer protocol,you might have to add a dissector table for that value and modify theother dissectors to register in your table, or, if the table has thesame values as some other protocol's protocol type field (e.g., Ethernettypes), you might be able to use that protocol's dissector table.

References:
- [Ethereal-dev] non-ethernet use of ethereal
  - From: Ray Rizzuto

Prev by Date: [Ethereal-dev] non-ethernet use of ethereal
Next by Date: Re: [Ethereal-dev] Having a hard time updating renamed Ethereal.desktop to ethereal.desktop file with TortoiseSVN
Previous by thread: [Ethereal-dev] non-ethernet use of ethereal
Next by thread: RE: [Ethereal-dev] non-ethernet use of ethereal
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$