Ethereal-users: Re: [Ethereal-users] Problems adding a dissector

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 28 May 2001 13:24:33 -0700
On Mon, May 28, 2001 at 11:59:36AM -0500, Patrick Hartling wrote:
> I have been trying to add a dissector for a TCP-based protocol, but I
> cannot seem to get Ethereal 0.8.18 to use it.  I read README.developer and
> have been comparing the code I wrote with that of other dissectors, but I
> have hit a wall.  The primary problems may be my inexperience with
> Ethereal and the fact that the protocol I am dissecting uses port 6000,
> the same as X11.

That's arguably a bit of an error on the part of the protocol designer,
if they explicitly chose 6000, unless it would *never* be the case that
a machine running an X server would also run a server for that protocol.

> When I load the dump (generated with snoop), Ethereal
> thinks it is a collection of X11 packets.

It's irrelevant what packet capture program generated the capture.

> When I try to decode it using
> my dissector (through the Decode As ... menu option), the added protocol
> isn't showing up in the list.

It'll only show up if either

	1) the dissector is registered, using "dissector_add", with the
	   "tcp.port" dissector table (as a dissector for port 6000)

or

	2) it's registered as a heuristic dissector with the "tcp"
	   heuristic dissector table (which would make sense only if
	   the protocol weren't given a specific port number *and* it
	   were possible to identify all packets for that protocol by
	   looking at the contents)

or

	3) it's registered as a conversation dissector with the "tcp"
	   conversation dissector table.

If you don't do one of those three, Ethereal has no way of knowing that
the protocol in question runs atop TCP.

> It does, however, appear in the dialog
> showing all the decoding protocols.  Is there something that I have to do
> beyond calling proto_register_protocol() from my dissector's
> proto_register_xxx() function?

Yes, you have to do one of the three things listed.

> Would it help if I remove the X11 dissector?

If you don't do 1), then removing the X11 dissector (or disabling it
from the dialog showing all the decoding protocols) would only mean that
traffic to or from port 6000 wouldn't be dissected at all, rather than
being dissected as X11 traffic.