Wireshark-dev: [Wireshark-dev] calling a dissector for a specific mac address

Date Prev · Date Next · Thread Prev · Thread Next
From: Richard Kümmel <R.Kuemmel@xxxxxxxxxxxx>
Date: Tue, 1 Jul 2008 15:14:22 +0200
Title: calling a dissector for a specific mac address

Hi,
I am writing a dissector for a device of ours that adds a header before the actual ethernet header.
The header is recognized by looking at the first 6 Bytes. If the first 6 byte are 01 01 05 10 00 00
( a mulitcast address of ours, that is only used for this purpose), the frame is an esl frame.

The only way i managed to handle this is by checking the address in dissect_eth_common
and then calling the dissector directly. 

  if ( tvb_get_guint8(tvb, 0) == 0x01 &&
                        tvb_get_guint8(tvb, 1) == 0x01 &&
                        tvb_get_guint8(tvb, 2) == 0x05 &&
                        tvb_get_guint8(tvb, 3) == 0x10 &&
                        tvb_get_guint8(tvb, 4) == 0x00 &&
                        tvb_get_guint8(tvb, 5) == 0x00) {              
                /*ESL frames require special interpretation of the
    destination address field; they can be recognized by
    checking the first 6 octets of the destination address, which are
    01-00-05-10-00 for ESL frames. */

         dissect_esl(tvb, pinfo, parent_tree, fcs_len);
         return;
 }
 

In packet-eth.c  i found that a cisco device also uses this technique

 if (ehdr->type <= IEEE_802_3_MAX_LEN) {
    /* Oh, yuck.  Cisco ISL frames require special interpretation of the
       destination address field; fortunately, they can be recognized by
       checking the first 5 octets of the destination address, which are
       01-00-0C-00-00 for ISL frames. */
    if (        (tvb_get_guint8(tvb, 0) == 0x01 ||
                 tvb_get_guint8(tvb, 0) == 0x0C) &&
                tvb_get_guint8(tvb, 1) == 0x00 &&
                tvb_get_guint8(tvb, 2) == 0x0C &&
                tvb_get_guint8(tvb, 3) == 0x00 &&
                tvb_get_guint8(tvb, 4) == 0x00 ) {
      dissect_isl(tvb, pinfo, parent_tree, fcs_len);
      return;
    }
  }

Is there a different and better way to do this? If not is it ok to add code like this
to the sources of wireshark?

Thanks,
Richard Kümmel


Beckhoff Automation GmbH | Managing Director: Dipl. Phys. Hans Beckhoff, Arnold Beckhoff
Registered office: Verl, Germany | Register court: Gütersloh HRB 1803