Wireshark-dev: Re: [Wireshark-dev] Start Dissection from an upper layer?
From: "Gilbert Ramirez" <gram@xxxxxxxxxxxxxxx>
Date: Tue, 10 Jun 2008 17:32:00 +0530
How do the 2nd-layer dissectors get called normally? Because thy
register themselves with Wireshark, saying that if "wtap_encap" (the
wiretap encapsulation) is a certain type, then call them.

for example, from packet-eth.c:

       dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_maybefcs_handle);

By whatever method you're feeding your packet traces into Wireshark,
if you can cause the wiretap encapsulation type to be a new value that
you create, WTAP_ENCAP_IPX, then you can modify packet-ipx.c to
register itself against "wtap_encap" == WTAP_ENCAP_IPX.  Then the
dissection will happen start at the IPX level.

--gilbert

On Tue, Jun 10, 2008 at 4:55 PM, Guillaume Bienkowski
<guillaume.bienkowski@xxxxxxxxxxxx> wrote:
> Hello Guys,
>
> I have successfully written a program that uses the Wireshark Lib to
> dissect some packets.
>
> The thing is, through the API I was given from my boss, I can only
> receive informations from the 3rd layer (IPv4, IPX, ... layer), which
> confuses the dissectors, and screws the dissection.
>
> One solution would be to allocate a temporary buffer which would include
> my 3rd layer and above, plus a fake header from the 2 bottom layers; but
> this would mean that I'd have to allocate memory for every packet... not
> really optimized..
>
> Is it possible to use epan_dissect_run() from an upper layer, telling
> the library to start dissecting from a packet that has already been
> shortened?
>
> Thanks in advance,
>
> Guillaume
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
>
>