Wireshark-dev: Re: [Wireshark-dev] Wireshark Dissector issue
From: Sean <yunjnz@xxxxxxxxx>
Date: Mon, 10 Nov 2008 15:32:53 -0800 (PST)


--- On Thu, 11/6/08, Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx> wrote:

> From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-dev] Wireshark Dissector issue
> To: yunjnz@xxxxxxxxx, "Developer support list for Wireshark" <wireshark-dev@xxxxxxxxxxxxx>
> Date: Thursday, November 6, 2008, 2:52 AM
> On Wed, Nov 5, 2008 at 12:41 PM, Sean
> <yunjnz@xxxxxxxxx> wrote:
> 
> > Greetings,
> >
> > I'm new for Wireshark,
> > I'd like to implement a wireshark dissector for a
> selfdefined protocol,
> > there is an issue:
> > the packet data can't be decoded by the packet
> data itself,
> > so does there any methods for passing some
> options/chooses to Wireshark for
> > additional information of decoding the packet data?
> >
> > As an example, the data packet can be decoded as
> different structures
> > depending on the data packet type,
> > and I don't want to modify the packet data itself,
> > does anyone have any information on how to implement
> this feature?
> >
> > Your help is highly appreciated.
> >
> 
> Hi,
> 
> I've faced the same issue when decoding user-plane
> protocols, which often
> rely upon information that isn't in the packet.
> 
> My approach has been to write the dissector to look up
> per-packet info
> (using p_get_proto_data()), and cast it to a struct that
> contains the
> additional information needed to do the decode (and in some
> cases, info not
> strictly-speaking needed for the decode but nice to display
> along with the
> actual decode).  See packet-umts_fp.c for an example of
> looking up and using
> the information in the struct (I have 3 LTE dissectors that
> work in a
> similar way that I'll try to check in soon).  If the
> same info applies to
> the whole capture, you may be able to store it in
> conversation info, or even
> just globally.
> 
> How you get the information into the struct is another
> matter.  The file
> format that I use is more of a log format than a raw
> catpure format, so that
> extra information is available in the capture file and a
> dissector that
> understands the meta-information found in the file can
> attach this
> information before passing the real data to the actual
> protocol dissector
> (in this case, either packet-catapult-dct2000.c or
> packet-k12.c).
> 
> The other option, especially if the extra information is
> pretty static,
> might be to add dissector preferences where you can type in
> settings that
> affect how the decode is done.
> 
> Hope this helps,
> Martin
> 
> 


Hi,

Thanks for your help.
is it possible if I want to decode part of the packet as a format,
and part of the packet as another format?
for example, if there is a packet contains many units,
the first unit is one format, and the second one is another format, and so on,
does wireshark support to let user determine the unit decode format?

Regards,
Sean