Wireshark-dev: Re: [Wireshark-dev] Modifying the ETH dissector

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Mon, 6 Apr 2009 17:24:33 -0400

First, you might try reading through the documentation.  README.developer and README.heuristic ought to provide you with just about all the information you need to get you started.

 

But to answer your questions:

1) Yes, your plugin will change slightly going from a normal dissector to a heuristic one.  The README’s should explain all of this.

 

2) You can fetch the Ethernet MAC address from pinfo.  See epan/packet_info.h.

 

3) The Ethernet dissector will hand off the packet to your dissector starting with the payload.  In other words, your dissector will not get the 1st 14 bytes of packet, which is the Ethernet header.  It is then up to your dissector to try to figure out, heuristically, whether or not the payload is actually yours or not to dissect.  If it isn’t, return FALSE; if it is, dissect the packet accordingly and return TRUE.  If you need the Ethernet header information to help determine if it’s yours or not, then you can get all of it from pinfo.  Assuming it’s your data, you should end up with a tree structure such as:

+ Frame 1 (xx bytes on wire, yy bytes captured)

+ Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: yy:yy:yy:yy:yy:yy

+ Your protocol, Your protocol-specific summary information

 

So, I’m not exactly sure what you meant by “may I reuse the Eth packet analysis”, but you can certainly get the Ethernet related information via pinfo if you need it, and if you were wondering whether you need to handle dissection of the Ethernet header or not, you don’t.  Your dissector will only need to populate that last tree.

 

4) When you’re done dissecting your protocol’s data and assuming you know the rest is IP, simply call “call_dissector(ip_handle)”. E.g., this pseudo-code should give you an idea:

 

static dissector_handle_t ip_handle;

 

static gboolean

dissect_PROTOABBREV(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)

{

    tvbuff_t *next_tvb;

    proto_tree *your_tree;

 

    handle_heuristics();

    dissect_your_stuff();

 

    /* Assuming the rest of the payload is IPv4, create a new tvb subset and

     * pass it to the IP dissector.

     *     Offset is the offset into your payload where IPv4 data begins.

     *     len is the length of the IP data.

     */

    next_tvb = tvb_new_subset(tvb, offset, len, len);

    call_dissector(ip_handle, next_tvb, pinfo, your_tree);

}

 

void

proto_reg_handoff_PROTOABBREV(void)

{

    ip_handle = find_dissector("ip");

}

 

- Chris

 

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of yvanmmailbox-web@xxxxxxxx
Sent: Monday, April 06, 2009 6:15 AM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] Modifying the ETH dissector

 

Hi all,

I'm beginner in Wireshark plugin development.
As Valentin said in a previous mail (http://www.wireshark.org/lists/wireshark-dev/200803/msg00285.html), I also need to develop an AFDX plugin. I am interested in the solution explained in this URL, to add a heuristic dissector, but I have some questions:

Does using a heuristic dissector suppose I don't need to modify the ETH dissector, and only create my own one as a plugin? In this case, where do I add the line "heur_dissector_add(“eth”, dissect_afdx, proto_afdx);" ?=> Does the structure of my plugin change with this kind of call?

How can I fetch the MAC address from data inside the ETH, to scan it?

May I reuse the ETH packet analysis (length, type of protocol encapsulated, trailer...) automatically?

What must I do in my plugin in order to use the IP plugin after? (i.e. I wish to have frame:afdx:ip:udp:other)

Thanks a lot for your answers!

Yvan

 

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.