Kevin Jones wrote:
Is "dissector_add("ethertype", ETHERTYPE_ARP, arp_handle);" how you
register a dissector with a lower layer protocol?
Yes, that's how you'd register a dissector that has an Ethernet type;
you'd replace "ETHERTYPE_ARP" with your Ethernet type, and replace
"arp_handle" with a dissector handle for your dissector. You could just do
my_handle = create_dissector_handle(my_protocol, my_dissector_function);
and then pass "my_handle" to dissector_add() (you don't need to register
your dissector with a name).
Also what are static hf_register_info hf[] = {...} and
proto_register_field_array(proto_arp, hf, array_length(hf)); for? Does
registering the info array give wireshark hints to help it find the
appropriate dissector to call?
No, they have absolutely nothing to do with dissector handoffs.
Or does it just setup memory space to use
after the dissector gets called and while it's dissecting?
Yes. In particular, the memory it sets up includes values for "named
fields". If, for example, your dissector has a packet type field, you
could have a "my.type" field, and use proto_tree_add_uint() or
proto_tree_add_item() to put it into the protocol tree. You could then
do, for example "my.type == 5" to have a display filter to find packets
with a particular packet type.
See doc/README.developer for a detailed discussion of named fields and
of putting packet data into the protocol tree.