[Mrunal Upadhyay <m.upadhyay@xxxxxxxxxxxxxxx>]

Guys,

 

Thank You very much for the help and suggestions. It really helped me figure out the problem and the solution to it. I carried out the following steps to define a custom dissector that  does not depend or run on top of any existing protocol.

 

Please note these steps are only for local development and these changes should not be checked in as it involves

defining a new mapping for a protocol in the encapsulation table(mapping of a new protocol to a new link_layer_id).

 

1. Define a macro in the Wtap.h header file for the new protocol.

................................

...............................

#define WTAP_ENCAP_LAPD                         131

#define WTAP_ENCAP_DVBCI                        132

#define WTAP_ENCAP_protocol                          133//macro for new protocol.

..............................

...............................

 

 

2. Define a new mapping for the new protocol to a new link_layer_id in the Pcap-common.c file in the pcap_to_wtap_map[]

 array of structures.

 ...............

 ...............

 { 230,          WTAP_ENCAP_IEEE802_15_4_NOFCS },

                /* DVB-CI (Common Interface) */

                { 235,                     WTAP_ENCAP_DVBCI },

                /* New protocol */

    { 240, WTAP_ENCAP_protocol},// mapping for new protocol to a link_layer_type value=240.

 

                /*

                 * To repeat:

                 *

                 * If you need a n

 ......................

 ....................

 

 In my case, I have associated my new protocol with link_layer_id=240.

 

NOTE:Please note if you plan to check in the code and want your protocol to be a part of Wireshark releases then send a mail

to tcpdump-workers@xxxxxxxxxxxxxxxxx, asking for a new DLT_ value, and specifying the purpose of the new value. When

you get the new DLT_ value, use that numerical value in the "dlt_value" field of "pcap_to_wtap_map[]".

 

3.            Create an entry in the encap_table_base[] array of structures supplying the name and short name for the new

protocol in the Wtap.c file.

 

...............................

...........................

                /* WTAP_ENCAP_LAPD */

                { "Lapd header", "lapd" },

 

                /* WTAP_ENCAP_DVBCI */

                { "DVB-CI (Common Interface)", "dvbci"},

 

                /*WTAP_ENCAP_protocol*/

                {"Protocol_name","Protocol_short_name"}

};

 

gint wtap_num_encap_types = sizeof(encap_table_base) / sizeof(struct encap_type_info);

static GArray* encap_table_arr = NULL;

...........................

...............................  

 

4. You can generate the required .pcap file from input text file with appropriate header information specific to your protocol by

using the text2pcap utility that comes with the Wireshark installation:

 

./text2pcap -l 240 input.txt output.pcap

 

5. Rebuild the Wireshark source code and install it. Copy the plugin (protocol.dll) for your protocol specific

dissector in the plugins directory and restart wireshark.

 

Mrunal

 

From: Mrunal Upadhyay
Sent: Thursday, April 21, 2011 1:20 AM
To: 'wireshark-dev@xxxxxxxxxxxxx'
Subject: Use of wireshark to interpret input data that does not depend on any other existing protocols

 

Hi All,

 

I am adding a new protocol to wireshark that does not rely or depend on any other protocols(tcp, udp, ethernet,ppp,etc). I will be thankful if anyone can help me understand the following things:

 

1. I have written the protocol dissector for my unique protocol. But how do I differentiate the input packets in .pcap file so that only my protocol dissector gets called to process the data? And how can I add uniqueness to the input data stream to customize it to my protocol. Is the protocol identified by means of some common pattern in the input stream of bytes .If that is the case, how can I do that?

 

2. What is the difference between the dissector table and encapsulation table. I have understood how the protocol dissector encodes the input data and display it in a tree based on the formatting defined by static arrays ett and hf. What all steps I need to perform in order to write a protocol dissector that does not depend on any existing protocols and customize the input data in pcap file so that my protocol dissector gets called only when it comes across correct input data.

 

Mrunal