Wireshark-dev: Re: [Wireshark-dev] Start Dissection from an upper layer?
From: Eloy Paris <peloy@xxxxxxxxxx>
Date: Tue, 10 Jun 2008 13:15:32 -0400
On Tue, Jun 10, 2008 at 04:21:52PM +0200, Guillaume Bienkowski wrote:
> Argh, I just poorly explained myself: I was just confused with Ethernet
> and IP.
>
> So I confirm, I get only "data" from the 3rd layer (IP)
> Actually, it will always be IP datagrams, so I don't have to bother with
> IPX or other fancy 3rd layer protocols).
>
> What I'd like to do now to start the dissection from the 3rd layer, so
> that I only have one modification to do (the "ip" dissector).
You need to use the DLT_RAW encapsulation type. Read pcap(3) to see what
DLT_RAW is.
I don't see why you'd have to modify any dissectors or anything in the
wireshark source code for this task.
Give something like this a try (this code snippet assumes all the
libwireshark initializations have been done already):
----------------------------------------------------------------------
static void
fill_in_framedata(frame_data *fdata, size_t len, int ll_type)
{
struct timeval ts;
gettimeofday(&ts, NULL);
fdata->next = NULL;
fdata->prev = NULL;
fdata->pfd = NULL;
fdata->num = 0;
fdata->pkt_len = len;
fdata->cum_bytes = 0;
fdata->cap_len = len;
fdata->file_off = 0;
fdata->lnk_t = wtap_pcap_encap_to_wtap_encap(ll_type);
fdata->abs_ts.secs = ts.tv_sec;
fdata->abs_ts.nsecs = ts.tv_usec*1000;
fdata->flags.passed_dfilter = 0;
fdata->flags.encoding = CHAR_ASCII;
fdata->flags.visited = 0;
fdata->flags.marked = 0;
fdata->flags.ref_time = 0;
fdata->color_filter = NULL;
nstime_set_unset(&fdata->rel_ts);
nstime_set_unset(&fdata->del_cap_ts);
nstime_set_unset(&fdata->del_dis_ts);
}
/* Free up all data attached to a "frame_data" structure. */
static void
clear_fdata(frame_data *fdata)
{
if (fdata->pfd)
g_slist_free(fdata->pfd);
}
/* Dissects IP packet with no layer 2 information. */
epan_dissect_t *
pkt_dissect(char *pkt, size_t len)
{
epan_dissect_t *edt;
frame_data fdata;
union wtap_pseudo_header pseudo_header;
memset(&pseudo_header, 0, sizeof(pseudo_header) );
fill_in_framedata(&fdata, len, DLT_RAW);
edt = epan_dissect_new(1 /* create_proto_tree */,
1 /* proto_tree_visible */);
epan_dissect_run(edt, &pseudo_header, pkt, &fdata, NULL);
clear_fdata(&fdata);
return edt;
}
int
main(void)
{
epan_dissect_t *edt;
size_t len;
/* Initialize libwireshark */
...
/* Get a packet */
pkt = pkt_read(..., &len);
/* Dissect packet. Only IP packets without L2 information.
pkt points to the IP header. len is the length of the
packet (size of IP header + size of payload.) */
edt = pkt_dissect(pkt, len);
handle_dissection_results(edt);
epan_dissect_free(edt);
return 0;
}
----------------------------------------------------------------------
Let us know how it goes.
Cheers,
Eloy Paris.-
netexpect.org
>
> What I don't understand is how to make the IP protocol register itself
> as a "1st layer" protocol (meaning: the dissection should start by
> seeking IP headers).
>
> The packet-ip.c has this:
>
>
> void
> proto_reg_handoff_ip(void)
> {
> dissector_handle_t ip_handle;
>
> data_handle = find_dissector("data");
> ip_handle = find_dissector("ip");
> tapa_handle = find_dissector("tapa");
> dissector_add("ethertype", ETHERTYPE_IP, ip_handle);
> dissector_add("ppp.protocol", PPP_IP, ip_handle);
> dissector_add("ppp.protocol", ETHERTYPE_IP, ip_handle);
> dissector_add("gre.proto", ETHERTYPE_IP, ip_handle);
> dissector_add("gre.proto", GRE_WCCP, ip_handle);
> dissector_add("llc.dsap", SAP_IP, ip_handle);
> dissector_add("ip.proto", IP_PROTO_IPIP, ip_handle);
> dissector_add("null.type", BSD_AF_INET, ip_handle);
> dissector_add("chdlctype", ETHERTYPE_IP, ip_handle);
> dissector_add("osinl.excl", NLPID_IP, ip_handle);
> dissector_add("fr.ietf", NLPID_IP, ip_handle);
> dissector_add("x.25.spi", NLPID_IP, ip_handle);
> dissector_add("arcnet.protocol_id", ARCNET_PROTO_IP_1051,
> ip_handle);
> dissector_add("arcnet.protocol_id", ARCNET_PROTO_IP_1201,
> ip_handle);
> dissector_add_handle("udp.port", ip_handle);
> }
>
> What should I change in there?
>
>
>
> Gilbert Ramirez a �crit :
> >
> > On Tue, Jun 10, 2008 at 7:27 PM, Guillaume Bienkowski
> > <guillaume.bienkowski@xxxxxxxxxxxx> wrote:
> >
> > >
> > > What I know is that my packet data will always contain ONLY the 2nd
> > > layer data (Ethernet) and the encapsulated data (TCP, UDP, ...).
> > >
> >
> > I think I misunderstood you. I thought your packets started at IP or
> > IPX. Is that not the case?
> >
> > --gilbert
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > https://wireshark.org/mailman/listinfo/wireshark-dev
> >
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
- Follow-Ups:
- Re: [Wireshark-dev] Start Dissection from an upper layer?
- From: Guillaume Bienkowski
- Re: [Wireshark-dev] Start Dissection from an upper layer?
- References:
- Re: [Wireshark-dev] Start Dissection from an upper layer?
- From: Gilbert Ramirez
- Re: [Wireshark-dev] Start Dissection from an upper layer?
- From: Guillaume Bienkowski
- Re: [Wireshark-dev] Start Dissection from an upper layer?
- Prev by Date: [Wireshark-dev] buildbot failure in Wireshark (development) on Windows-XP-x86
- Next by Date: Re: [Wireshark-dev] Build Failure.Please help!!
- Previous by thread: Re: [Wireshark-dev] Start Dissection from an upper layer?
- Next by thread: Re: [Wireshark-dev] Start Dissection from an upper layer?
- Index(es):