Wireshark-dev: Re: [Wireshark-dev] Fw: modifying the eth-dissector

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Thu, 17 Apr 2008 23:52:45 -0400
I have not used either find_dissector_table() or dissector_try_port() myself, but it seems like this would be the way to do it, and since it's working for you, I guess I'd stick with that.
 
- Chris 


From: valentin.ecker@xxxxxxxxxx
Sent: Thu 4/17/2008 7:42 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Fw: modifying the eth-dissector


hmm....i think i just found it out myself:

i use

dissector_try_port(ethertype_dissector_table,...) with giving tvb minus MY_HEADER.

with

ethertype_dissector_tabel = find_dissector_table("ethertype");

...is this a recommended solution? (as i saw packet-symantec does it quite similar)

Thanks anyway! (your doing a really great job!!)

Valentin




valentin.ecker@xxxxxxxxxx
Sent by: wireshark-dev-bounces@xxxxxxxxxxxxx

17.04.2008 13:16
Please respond to
Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>

To
Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
cc
Subject
Re: [Wireshark-dev] Fw: modifying the eth-dissector






Thanks for the help...it works perfectly!


But due to a change in the requerments, i have a different problem now. Im sure you have an idea for it in just a second! :)


How can i hand over my buffer to the layer3 level without a restriction on a certain protocol?

I want to do something like: Dissect Layer2, and handoff to packet-ethertype. (I can give the guarantee that my frame is a Ethernet2 frame).

In packet-eth you simply call ethertype(...). If i want to call this routine, i get undefined references from the linker (do i have to additionally link antoher lib maybe?). Unfortunately im quite new to this lib and dll-thing.


BTW its a plugin im developing on ;)


Thanks a lot,

Valentin



"Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Sent by: wireshark-dev-bounces@xxxxxxxxxxxxx

31.03.2008 20:31
Please respond to
Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>

To
Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
cc
Subject
Re: [Wireshark-dev] Fw: modifying the eth-dissector







I think something like the following should work for you:

 

static dissector_handle_t ip_handle;

 

static gboolean dissect_afdx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)

{

   ...

   if ( this_is_really_ip )

   {

       next_tvb = tvb_new_subset(tvb, offset_to_ip, -1, -1);

       call_dissector(ip_handle, next_tvb, pinfo, afdx_tree);

   }

   ...

}

 
 

void proto_reg_handoff_afdx(void)

{

   ...

   ip_handle = find_dissector("ip");

}

 

- Chris



From: valentin.ecker@xxxxxxxxxx
Sent:
Mon 3/31/2008 9:08 AM
To:
wireshark-dev@xxxxxxxxxxxxx
Subject:
[Wireshark-dev] Fw: modifying the eth-dissector



Hi there again!


I implemented my dissection for AFDX now with a heuristic_dissector (btw. is there a documentation that explaines the differences between heuristic registration and "normal"? ).

Now i want to give the payload of the LLC Layer (=left data) to the IP-dissector by calling capture_ip() (i assume). Problem is now that i have to supply the packet_count and the pd-pointer to capture_ip.

How can i get this value/pointer? (out of tvbuf? ) Or is there a better way?


Again, thanks a lot for your help!


Valentin




----- Forwarded by Valentin Ecker/TTTech on 31.03.2008 15:06 -----
Valentin Ecker/TTTech

25.03.2008 13:52


To
wireshark-dev@xxxxxxxxxxxxx
cc
Subject
modifying the eth-dissector








Hi all,


I would like to write a new dissector for wireshark...but im stuck at some points:


My protocol is based on the ARINC AFDX standard which is (more or less) based on Ethernet II frames at layer 2. The difference to this frame type is the MAC-Dest/Source-Address, where a certain address space is defined in advance to recognize the AFDX frames. This ensures that any COTS ethernet controller can ignore such type of frames, but special devices (such as switches and controllers) recognize them. Anyway...i think any other protocol details would go to far....


My Problem is the following now:

I have to inspect the MAC addresses and - if a special address is given - foreward them to my own dissector which dissects further layers. The most obvious thing for me would be to modify the "packet-eth" and branch off there for the next layers (as it is already done with the Cisco ISL frames).

What do you think?


Unfortunately i would prefer a plugin dll instead of compiling the whole source. I think i would have to exchange the whole eth-dissector with my own one residing in the plugin directory...would that be possible, or is there a better solution?


Another problem is, that the address space is defined by a configuration file (an XML File), and must be read at least at every startup of wireshark. Where do you think would be a nice place in the wireshark directory for such a file to be read? I was thinking of: "Read file if there is one, otherwise handle AFDX Frames like Ethernet 2 ones".


Thanks a lot for your help!

Valentin
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev