Wireshark · Ethereal-dev: Re: [Ethereal-dev] How to subscribe on LLC/SNAP

Ethereal-dev: Re: [Ethereal-dev] How to subscribe on LLC/SNAP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Wed, 3 Dec 2003 11:44:34 -0800


On Dec 2, 2003, at 11:46 PM, Alex V. Boreskoff wrote:

Sorry for stupid question,
but how can I subscribe my dissector on LLC/SNAP

This -
     dissector_add ( "llc.dsap", 0xAA, hMyDissector );
does not work

If the protocol for which you're writing a dissector is using a DSAP of0xAA (and thus preventing any SNAP-based protocol from running on anymachine on which it's running!), you would have to modify the LLCdissector not to check for a DSAP and an SSAP of 0xAA (a modificationthat will not be in the official Ethereal releases, so you'd have tomaintain your own private version of Ethereal - but, then, protocolsshouldn't use 0xAA in any case) and then use that "dissector_add()"call.

If, however, the protocol for which you're writing a dissector is usingLLC/SNAP in the way it's supposed to be written, you would *NOT* usethat "dissector_add()" call, which you wouldn't want to do *anyway*,because you don't want to have to dissect the SNAP header yourself, youwant the Ethereal LLC dissector to do it for you.


If the protocol has an Ethernet type assigned to it, you'd just do

	dissector_add("ethertype", {the Ethernet type value}, hMyDissector);

If the protocol has a SNAP PID assigned to it for use with some OUI*other* than the 00:00:00 used for Ethernet types, and that OUI is notone of the ones for which we already have support (00:00:0C and00:00:F8 for Cisco, 00:00:81 for Nortel, 08:00:07 for Appletalk,00:80:C2 for MAC frames bridged over ATM or Frame Relay, or 00:E0:2Ffor DOCSIS spanning tree), you'd:

create a file to handle that OUI, similar to "packet-cisco-oui.c" or"packet-nt-oui.c", which would create a dissector table for protocolIDs for that OUI;


	register your dissector in that dissector table with

dissector_add({that dissector table's name}, {the protocol's PID},hMyDissector);


If the protocol has a PID for 00:00:0C, you'd do

	dissector_add("llc.cisco_pid", {the protocol's PID}, hMyDissector);

If the protocol has a PID for 00:00:81, you'd do

	dissector_add("llc.nortel_pid", {the protocol's PID}, hMyDissector);

If the protocol has a PID for 00:00:F8, those appear to be Ethernettypes, and you'd do


	dissector_add("ethertype", {the protocol's PID}, hMyDissector);

and the same applies for 08:00:07.

For 00:80:C2 or 00:E0:2F, you'd have to modify "packet-llc.c".

References:
- [Ethereal-dev] How to subscribe on LLC/SNAP
  - From: Alex V. Boreskoff

Prev by Date: [Ethereal-dev] Update to packet-bootp.c for Options 78-79
Next by Date: Re: [Ethereal-dev] Non-portable code in airopeek.c
Previous by thread: [Ethereal-dev] How to subscribe on LLC/SNAP
Next by thread: Re: [Ethereal-dev] patch for packet-smb.c (Locking_AndX)
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$