Wireshark-dev: Re: [Wireshark-dev] How to get my dissector called

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 21 May 2007 11:37:25 -0700
Kevin Jones wrote:

Is "dissector_add("ethertype", ETHERTYPE_ARP, arp_handle);" how you register a dissector with a lower layer protocol?

Yes, that's how you'd register a dissector that has an Ethernet type; you'd replace "ETHERTYPE_ARP" with your Ethernet type, and replace "arp_handle" with a dissector handle for your dissector. You could just do

	my_handle = create_dissector_handle(my_protocol, my_dissector_function);

and then pass "my_handle" to dissector_add() (you don't need to register your dissector with a name).

Also what are static hf_register_info hf[] = {...} and proto_register_field_array(proto_arp, hf, array_length(hf)); for? Does registering the info array give wireshark hints to help it find the appropriate dissector to call?

No, they have absolutely nothing to do with dissector handoffs.

Or does it just setup memory space to use after the dissector gets called and while it's dissecting?

Yes. In particular, the memory it sets up includes values for "named fields". If, for example, your dissector has a packet type field, you could have a "my.type" field, and use proto_tree_add_uint() or proto_tree_add_item() to put it into the protocol tree. You could then do, for example "my.type == 5" to have a display filter to find packets with a particular packet type.

See doc/README.developer for a detailed discussion of named fields and of putting packet data into the protocol tree.