Wireshark-dev: Re: [Wireshark-dev] Questions about dev

From: "Neha Chahal" <neha.chahal@xxxxxxxxx>
Date: Tue, 7 Nov 2006 10:59:35 -0800
On 11/7/06, Guy Harris <guy@xxxxxxxxxxxx> wrote:
Neha Chahal wrote:

> I am very new to the ethereal source code. I want to add a dissector
> that understands my protocol –" my_proto".
>
> Problem statement:
>
> I have a binary file my_proto_dump.log. This file has packets received
> by my application.

What format is that file in?
The format of the file is binary and the protocol is LEA.


> I want ethereal to read from a binary file packets in my_proto
> protocol and then be able to dissect these packets and produce an
> output file.
>
> I am having a hard time understanding how to join the pieces together.
>
> I have a few questions about this.
>
> 1.    To make ethereal dissect my protocol I have to add a dissector,
> right ? I would have to add under plugins/my_proto.c – which is my
> dissector. This step has been explained nicely in the manual. I did
> this.
> 2.    How do I make ethereal call my dissector?

Is your protocol the bottommost protocol (for example, in an Ethernet
capture, the bottommost protocol is Ethernet), or is it a protocol that
runs atop another protocol (for example, in that Ethernet capture, an IP
packet would probably have IP running atop Ethernet)?

It is a protocol at the application layer. So it is the top  most protocol.


> 3.    Do I have to make changes to add my capture file type in the wiretap/ dir.

Only if your binary file is in a format that Wireshark doesn't already
support.  If, for example, it's a capture file in the format that
tcpdump/WinDump supports, that's also the standard format that Wireshark
uses, and so you already have code to support it.


No it is not  a format wireshark supports. I tried tethereal on my
binary file and it prints a message -- format not supported. The
format is LEA format.

> 4.    What is the difference between read and seek_read functions.

The read function is used in TShark, which only does a sequential read
of the file, and in Wireshark when the file is first read in.

The seek_read function is used after that in Wireshark, because packets
aren't necessarily processed in sequential order once the capture has
been read in.

So I have to implement both. Is that true?

> Do I
> have to return the packet in the wth->format_buffer?

Presumably you meant "wth->frame_buffer".

If so, then the read routine returns the packet there, and the seek_read
routine returns the packet in the buffer pointed to by the "pd" argument.

So my read routine is returning the packet in wth->frame_buffer. But I
have not implementes the seek_read. The README.dev says "implement
seek_read if necessary". What does this mean? When is it necessary?


> Is this packet
> used by the dissector to dissect?

Those packet contents are what the dissectors in TShark and Wireshark
dissect.

> If yes this packet should have all
> the bits I mention in the dissector code ?

It should have all the bits that were captured from the network. :-)

("Bits" here meaning "binary digits" - i.e., it's just the raw contents
of the packet.)

My packets dont have any transport layer headers. They are in the
format I have specified in the dissector. So this is the way my packet
looks like.

fixed header
payload header
variable length payload

In the dissector I have given protocol details starting from the fixed
header. So the packet that I return in the wth->frame_buffer should
start from the fixed header to the end of the payload. Is this
correct?

Where should the data offset point. At the payload header or at the
fixed header ?


> 5.    After this wht is the ethereal output format. Do I have to specify
> the output format also.

What do you mean by "output format"?

The output of a dissector is some protocol tree entries added to the
tree, and information used to generate the columns in the summary
display.  Code outside the dissector - code that you will not have to
write or modify, unless your protocol somehow requires some additional
features, which it almost certainly doesn't - turns that into
information in windows on the display, or text in a text file, or XML in
a PSML or PDML file, or....  Those output formats are not anything you
have to deal with.

Yes, thank you, understood now.

If your capture file is in a format that Wireshark doesn't currently
support writing, and you want to allow it to read in a file in some
other format and write it out in your format, you'd have to add code to
Wiretap to write that format.

Okay. So i just want it read the binary stream from a file. This file
is created by my application that just dumps incoming LEA format
messages in binary format. So I think I need to add a module in the
wiretap too.


Thank you so much. This has helped me a lot. Excuse me if my questions
are naive, but I really need the answers. Hope I have answered your
questions in detail and you understand my answers.

Thanks a lot.

Best Regards
Neha
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev



--
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414