Wireshark-dev: Re: [Wireshark-dev] how do I create a dissector that doesn't set the Protocol co

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 13 Jul 2007 10:41:49 -0700
Fulko.Hew@xxxxxxxxx wrote:

One of the issues is that there are existing well known protocols
embedded in my captured packets that I want to hand off to pre-existing
dissectors (for example 'frame relay') so I'm capturing the flow and
handing it off in dissect_mytype() using the fragment:

if (pinfo->fd->lnk_t == WTAP_ENCAP_MYTYPE) {
  call_dissector(frame_relay_handle, tvb, pinfo, tree);
}

If dissect_mytype() contains that code, then presumably it's called even for packets that don't have an encapsulation type of WTAP_ENCAP_MYTYPE. Is that the case? For example, do you have WTAP_ENCAP_MYTYPE_FRAME_RELAY and WTAP_ENCAP_MYTYPE_OTHER_LINKTYPE_1 and so on, for various link-layer types?

1/ The Protocol field in the packet list window pane now labels the
   packets as 'mytype'.  I'd rather see the protocol as 'Frame Relay',
   or (more generically) 'whatever the next dissector determines it to be'.

2/ The packet 'decode' pane shows:
   > Frame 1 (14 bytes on wire, 14 bytes captured)
   > Frame Relay
   > Q.933
   > MYTYPE

   As if 'MYTYPE' was embedded within the frame relay, whereas in
   reality, its the other way around.  It shouldn't have that 4th
   level of decode.

Can anybody tell me what I'm doing wrong,

You're probably doing the call_dissector() before doing anything else, such as setting the column and putting your information into the protocol tree.

You should be setting the column, and putting the MYTYPE information into the protocol tree, *before* calling the subdissector with call_dissector().