On Tue, Feb 03, 2004 at 12:22:30AM -0500, Peter J. Creath wrote:
> I'm having trouble figuring out exactly where to hook in my dissector
> so that it handles non-standard (proprietary) Ethernet frames.
>
> Currently Ethereal is convinced that they're 802.3 LLC frames. The
> only way I've found to convince it otherwise is to take over the
> WTAP_ETHERNET association (via 'dissector_add("wtap_encap",
> WTAP_ETHERNET, dissect_mine)'). This seems less than ideal. I could
> do this and pass standard packets through to the original handler,
> but this seems inelegant (or at least fragile). Is there some way to
> apply a heuristic to a raw frame and dissect it as my custom frame
> before Ethereal interprets it as an 802.3 frame?
No.
> Or is there another approach I'm missing?
Given that a frame that neither
1) has 2 6-octet MAC addresses followed by a length field <=
1500
nor
2) has 2 6-octet MAC addresses followed by a type field >= 1536
is a valid 802.3 frame, there is no mechanism within Ethereal to handle
"Ethernet" frames other than those types. (Well, actually, we treat
frames in the 1501-1535 range as Ethernet II frames.)
Therefore, for those applications where non-Ethernet packets are put
inside Ethernet low-level framing (which is presumably what you're
doing), a couple of special mechanisms could be used.
For Cisco's cable-modem stuff that sends out DOCSIS frames inside
Ethernet framing (so that you can capture DOCSIS traffic with an
Ethernet network analyzer), there is, in "packet-frame.c", code to treat
all frames as DOCSIS frames if a configuration option is set.
Alternatively, you could modify the Ethernet dissector to have an option
to pass on packets to another dissector.
Those are inelegant, but, frankly, I'd say the same about most forms of
stuffing non-Ethernet packets inside Ethernet framing....