Hi,
Thank you so much for your kind reply.
2008/12/23 Guy Harris
<guy@xxxxxxxxxxxx>
On Dec 21, 2008, at 10:16 PM, Yuming fang wrote:
> I am adding a new protocol to wireshark. When I add the new
> protocol, there are some basic questions I could not understand as
> follows.
>
> (1) When capturing data from netcard, how does the wireshark choose
> the protocol dissector to process the data?
Wireshark does not, itself, capture data. It runs a program that
comes with Wireshark, named dumpcap; dumpcap writes packets to a
capture file, and sends messages to Wireshark over a pipe to tell it
that new packets have been written to the file. Wireshark then reads
the packets from the file.
Dumpcap writes the file out in libpcap format, which is Wireshark's
native format. At the beginning of a libpcap-format file is a file
header that includes a link-layer type value.
Wireshark's code to read capture files maps the link-layer type values
in the file to its own set of link-layer type values; it can read many
different types of capture files, including but not limited to libpcap
format, and the different capture file types have different link-layer
type values - the Wireshark code (the Wiretap library) maps those to a
single set of type values, so the dissecting code doesn't have to know
the details about libpcap or Network Monitor or Sniffer or... link-
layer type values.
> For example, if wireshark receive the tcp data, how could it know
> these data is tcp data and thus choose tcp protocol dissector to
> process these data?
Well, TCP data is usually carried inside an IPv4 or IPv6 packet, which
is carried inside an Ethernet or 802.11 or PPP or... packet.
Wireshark will first look at the link-layer type value and call the
appropriate dissector for that. That dissector will determine what
the next protocol to dissect is; for example, with Ethernet, it'll
look at the Ethernet type value (for packets with a type value) and
call the appropriate dissector for that. For an Ethernet type value
of hex 0800, that will be the IPv4 dissector. The IPv4 dissector will
look at the protocol field in the IPv4 header and call the appropriate
dissector, such as the ICMP or TCP or UDP or... dissector.
> (2) I want to use wireshark to process the LTE data(Actually mainly
> display the LTE data format in wireshark). Now we have written some
> code. However, we have not the LTE netcard. So I want to send the
> LTE data through TCP socket(Port is 9999) and thus wireshark could
> receive the LTE data through the TCP(Port:9999). Now I could get
> these LTE data, but how could I let the wireshark display the LET
> data format like a tree? How could I add the LTE code into the
> TCP(Port:9999) to process the LET data?
You would write a dissector for the LTE data, and have it register
with the "tcp.port" dissector table with the value 9999, so that it'll
be called by the TCP dissector for packets to or from port 9999.
Yeah, I register the dissector for the LTE data with the "tcp.port" dissector table with the value 9999. And now I could get the LTE data from the 9999 port. Do I just add my LTE code into the corresponding functions, such as the function of dissect_LET to parse the LTE date? Could you give me some information about the APIs(in wireshark) which could display the LTE data headers as layers in wireshark?(I want to display these headers like layers)
Thank you very much!
Best wishes,
Yuming