Wireshark-dev: [Wireshark-dev] IEEE 802.3ah Processing

From: Elliot Parsons <elliotparsons@xxxxxxxxx>
Date: Mon, 9 Apr 2012 17:08:56 -0400

I am working with an 802.3ah system. I have a third party packet capture device with its own packet processor, but I would like to have some of Wireshark's capabilities for processing the capture file offline.

802.3ah contains an Ethernet frame, but it adds a 6 byte preamble that contains a link layer id along with other information. I have written a dissector to process this 6 byte preamble, which ends up calling the standard Ethernet dissector when it is complete. I currently know of two ways of kicking off this 802.3ah dissector:

1) Change the capture type in the header of the PCAP file.

2) Add a check in the Ethernet dissector that looks for the start of the 802.3ah preamble for each packet. This check is only enabled if an 802.3ah option is selected for Ethernet parsing.

Is either of these methods preferred, or is there another way to start the new dissector that I have not considered?

Thanks,
Elliot