Wireshark-dev: Re: [Wireshark-dev] protocol question

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 28 Apr 2007 15:57:50 -0700
f27jx652 wrote:
Do you provide guidelines for development of in-house (private) protocols/capture filters for use with Ethereal/Wireshark?

The term "capture filter" refers to the filters used when capturing traffic. Those filters are implemented in libpcap/WinPcap, not in Wireshark; if you wanted to add additional capabilities to them, you would have to modify libpcap.

In addition, note that they are implemented using an interpreter for a simple pseudo-machine-language, so that a filter "program" can be safely added into the kernel (filtering is done in the kernel on a number of platforms, so packets that don't match the filter aren't copied to user space, saving CPU time). Therefore, there are only a limited number of things that can be tested in a capture filter.

Where can I add SMS, Wap Push & SMS protocol capturing abilities?

If the traffic in question is going over a link-layer type on which Wireshark can already capture, there are no capabilities that need to be added.

If it's going over a link-layer type on which Wireshark can't capture, that would, again, require changes to libpcap/WinPcap, as packet capturing in Wireshark is done in libpcap/WinPcap.

Note, however, that packet *capturing* and packet *dissection* are completely decoupled. Wireshark can dissect packets that it can't capture (because it can read them from capture files from other analyzers that can capture traffic on link-layer types on which libpcap/WinPcap can't capture), and it can capture traffic that it can't completely dissect (because it doesn't have dissectors for all the protocol layers in the packet).

Are you trying to add the ability to *capture* that traffic, or *dissect* it? I think our WAP dissector can already dissect push traffic; we might have dissectors for at least some protocols used for SMS.