Wireshark-dev: Re: [Wireshark-dev] Understanding a file format with no underlying protocol info

From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Tue, 25 Jul 2006 09:53:13 +0800


Priyanka Kamath wrote:
Hi All,
I have a capture file which i am interested in showing on the Wireshark GUI. My capture file has info about only *one* protocol (proprietery) and no other protocol.I am planning to write a dissector for my file. I am confused as to how ethereal will call my dissector. My file has no data link information which ethereal may understand. Do i have to assign a DLT_ value for my protocol? According to my understanding, i need to do the following so that WIreshark understands my file format:
1. Assign a DLT_ value to it.
2. Write a parser which will convert it into pcap format (Something similar to text2pcap) 3. Write a dissector and register it with the wtap_encap table by calling dissector_add() Please do correct me if i am wrong. This is really really important. I have searched a lot on the net and found information about writing dissectors etc. I just want to know if i am on the right track.

Yes, you basically have 2 options:

- do like you suggest above (using the PCAP file format)
- NOTE about (1): DLT_ values are controlled by the folks at tcpdump.org . You can't just assign any unused DLT_ value, you need to ask for one to be assigned by emailing tcpdump-workers[AT]lists.tcpdump.org .

- (or) write your own file format and then update Wireshark's wiretap library to understand it (wiretap already understands many file formats so there should be some good examples there to work from).