[Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>]

Beth wrote:
> I am working with a plugin dissector that handles a protocol running 
> under IEEE 802.15.4.  The source code for this dissector (written by 
> someone else) combines the 802.15.4 dissection with the other protocol.  
> I am attempting to split the existing plugin into a separate plugin for 
> the other protocol, and use it with the Wireshark builtin 802.15.4 
> dissector instead of the homegrown one.
>
> Here is the hitch I have encountered:  The sniffer I was given 
> encapsulates the 802.15.4 packets as UDP payloads.  The plugin I'm 
> working on adds itself to the "udp.port" dissector list for the 
> appropriate port#, but the builtin 802.15.4 dissector only adds itself 
> to "ethertype".
>
> Can someone advise me on the best way to proceed from here?  I see the 
> following options:
>
> 1. Give up on using the builtin 802.15.4 dissector, just keep using the 
> one I have.
>
> 2. Modify the builtin dissector so that it adds itself to "udp.port" 
> instead of "ethertype".  (Which means I will no longer be able to 
> distribute just the plugins to other users of this protocol; they will 
> need the modified Wireshark build as well.)
>
> 3. Find a way to modify the builtin dissector so that it works for this 
> sniffer *without* affecting how it works for everyone else, and submit 
> the patch for approval.  (Would only do this if it were likely that 
> others might need a similar feature.)

4. Write another dissector that registers for the appropriate "udp.port" 
and calls find_dissector("wpan") (or "wpan-nofcs" or one of the other 
names for that dissector) to get a handle to the 802.15.4 dissector. 
When this dissector is handed packets it can pass the appropriate part 
of the payload to the built-in 802.15.4 dissector.

For a simple example of that, look at packet-mtp2.c who dissects MTP2 
headers before passing the remaining payload to the MTP3 dissector.