Wireshark-dev: Re: [Wireshark-dev] Adding a dissector for "Analyze->Decode As" only

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 16 Feb 2007 16:03:41 -0800

On Feb 16, 2007, at 3:28 PM, Ravi Kondamuru wrote:

I am trying to write a dissector for a non-standard rpc protocol.
Writing a heuristic to automatically identify the protocol is getting too complicated. So, I was wondering if I could add a dissector that can be used when I select a connection and explictly say Decode As.

Is it possible to do that?

If your protocol runs directly on top of UDP or TCP, yes. (If it runs on top of some other RPC protocol - i.e., if by "rpc protocol" you mean a protocol that is implemented using some RPC mechanism such as ONC RPC or DCE RPC - then, no, you can't, and you *shouldn't*; there's already a mechanism for registering dissectors for ONC RPC-based and DCE RPC-based protocols.)

If it is, any pointers to notes on how can it be done?

If your protocol runs on top of UDP, so that you'd want to use "Decode As" to indicate that a particular UDP port should be used for your protocol, then call

	dissector_add_handle("udp.port", {the handle for your dissector});

If your protocol runs on top of TCP, so that you'd want to use "Decode As" to indicate that a particular TCP port should be used for your protocol, then call

	dissector_add_handle("tcp.port", {the handle for your dissector});