Michael A. Ruzinsky wrote:
First of all, let me start out by saying I am relatively new to the wireshark development process; although I have read most of the development documentation. I feel that I understand enough of it to get started in writing my own dissector, but I think I need some help pointing me to the right starting point for my particular project.
I am currently developing a custom packet collector that collects data from various sources. Some of the packets in the file would be from a network and would consist of known protocols such as Ethernet/TCP/IP. But I would like also to include data from other sources as well, which may not be network data at all, but simply formatted data obtained from other devices.
So it would basically look like this:
[GLOBALHEADER DLT TYPE = 147]
[PKTHDR][PACKET = MYPROTO+ETHERNET(DLT=1)]
[PKTHDR][PACKET = MYPROTO+CUSTOM DATA #1]
[PKTHDR][PACKET = MYPROTO+CUSTOM DATA #2]
[PKTHDR][PACKET = MYPROTO+ETHERNET(DLT=1)]
I know I need to write dissectors for CUSTOM DATA #1 and #2, but I am not sure about how to implement MYPROTO.
In fact I am not sure it it is actually needed at all. In other words, if I write the two dissectors for #1 and #2 will wireshark recognize them from the frame, or do I need to encapsulate all of the packets in to one frame type (MYPROTO) and then write a dissector for MYPROTO?
I think you'll need a MYPROTO dissector as the current PCAP file format
does not allow you to have multiple DLTs (protocols) in one file.
(PCAP-NG addresses this limitation IIRC.)