Wireshark-dev: Re: [Wireshark-dev] My first dissector

From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Thu, 16 Apr 2015 14:32:41 +0200


2015-04-16 10:41 GMT+02:00 <14mpdn+2zn37jzosz4r8@xxxxxxxxxxxxxxxxx>:
Hi Pascal, Alexis and all,

Thanks for your time and answers, very helpful. I did provide all the code, there just isn't much yet. I wanted to get something running first, before I would add more code, such that I know I have a base set-up working.

I did forget to mention a probably important fact, which is that I am running my plugin with the version that got installed using Homebrew. And my git checkout, although I did checkout the v1.12.4 tag, might be slightly different (for some reason I wouldn't exactly know).

Yes this is an extremely important point. You have no guarantee of an API compatibility between Wireshark major versions (or I should say it is always incompatible ;) ). Uou must build your plugin against Wireshark version you target so please update your checkout to point on the same release as your Homebrew version and recompile.


I did this for two (possibly bad) reasons:
- I did not get a GUI when building my git checkout (although the build was successful, but probably requires some configuration I need to further look into).
- This is also how I want to use the plugins in the end (copying it to other people). Maybe wireshark "plugins" are not meant to be used like that? I get the feeling I should maybe go for Lua plugins, but I wanted to try c code first as I read the Lua dissectors could be a bit slow sometimes.

Just for completeness, here's the backtrace. I think I understand that this is probably due to combining two slightly different versions of Wireshark (the one installed with Homebrew versus the git checkout of the v1.12.4 tag).

I debugged wireshark-qt with lldb (yes, without the copied plugin mytest.so file that runs fine).
On the GUI window I see "Please wait while Wireshark is initializing..." in the info bar, and "Handing off dissector zbee_zbp" above the progress bar (perhaps the dissector being loaded just before mine), this is what the lldb window shows:

ERROR:/Users/sjaak/WiresharkPlugins/wireshark/epan/wmem/wmem_scopes.c:124:wmem_epan_scope: assertion failed: (epan_scope)
Process 55968 stopped
* thread #1: tid = 0xf7f10, 0x00007fff8ae90286 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
    frame #0: 0x00007fff8ae90286 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill:
->  0x7fff8ae90286 <+10>: jae    0x7fff8ae90290            ; <+20>
    0x7fff8ae90288 <+12>: movq   %rax, %rdi
    0x7fff8ae9028b <+15>: jmp    0x7fff8ae8bc53            ; cerror_nocancel
    0x7fff8ae90290 <+20>: retq

And here's the backtrace:

(lldb) bt
* thread #1: tid = 0xf7f10, 0x00007fff8ae90286 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
  * frame #0: 0x00007fff8ae90286 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff8c9cd42f libsystem_pthread.dylib`pthread_kill + 90
    frame #2: 0x00007fff9284cb53 libsystem_c.dylib`abort + 129
    frame #3: 0x0000000103ee03ce libglib-2.0.0.dylib`g_assertion_message + 390
    frame #4: 0x0000000103ee042c libglib-2.0.0.dylib`g_assertion_message_expr + 94
    frame #5: 0x000000011387fea6 libwireshark.5.dylib`wmem_epan_scope + 54 at wmem_scopes.c:124
    frame #6: 0x00000001138213c5 libwireshark.5.dylib`create_dissector_handle(dissector=0x000000010b730e40, proto=0) + 21 at packet.c:2208
    frame #7: 0x000000010b730e16 mytest.so`proto_reg_handoff_mytest10 + 22 at packet-mytest.c:39
    frame #8: 0x0000000103ed95d7 libglib-2.0.0.dylib`g_slist_foreach + 34
    frame #9: 0x0000000100415492 libwireshark.5.dylib`proto_init + 488
    frame #10: 0x0000000100400a58 libwireshark.5.dylib`epan_init + 125
    frame #11: 0x00000001000a6df6 wireshark-qt`main + 2086
    frame #12: 0x00007fff886bd5c9 libdyld.dylib`start + 1

---

    Dear all,

    (Sorry for double posting, but I got no response on the users mailing list, so I thought maybe this list is actually more appropriate)

    I'm trying to write my first Wireshark dissector. As an example, I looked at http://protomatics.com/wireshark_dissector.html and the nice Wireshark Wiki pages.

    I have installed on my Mac a Homebrew version of wireshark in:
    /usr/local/Cellar/wireshark/1.12.4/

    I checked out the v1.12.4 version in git:
    $ git status
    HEAD detached at v1.12.4

    If I copy the created .so file to /usr/local/Cellar/wireshark/1.12.4/lib/wireshark/plugins/1.12.4/
    and start wireshark-qt, the program terminates with:
    ERROR:/Users/sjaak/WiresharkPlugins/wireshark/epan/wmem/wmem_scopes.c:124:wmem_epan_scope: assertion failed: (epan_scope)
    Abort trap: 6 (core dumped)

    I hope there's somebody out there who can easily see what's wrong? I don't know if I'm doing something wrong or there's a problem with the code.

    Thanks,
    Sjaak.


    I modified a few makesfiles and used cmake to build everything. That part seems to work fine (no errors and I get an .so file in the 'run' folder).

    I have these files in the wireshark/plugins/mytest folder:
    CMakeLists.txt                  Makefile.nmake                  packet-mytest.c
    Makefile.am                     moduleinfo.h                    plugin.c
    Makefile.common                 moduleinfo.nmake                plugin.rc.in

    And packet-mytest.c looks like this:


    #include "config.h"

    #include <epan/packet.h>

    #define MYTEST_PORT 1234

    static int proto_mytest_10 = -1;
    static gint ett_mytest_10 = -1;

    static void dissect_mytest10(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
    {
        col_set_str(pinfo->cinfo, COL_PROTOCOL, "MYTEST10");
        col_clear(pinfo->cinfo, COL_INFO);

        if (tree)
        {
            proto_item *ti = proto_tree_add_item(tree, proto_mytest_10, tvb, 0, -1, FALSE);
            tree = proto_item_add_subtree(ti, ett_mytest_10);
        }
    }

    void proto_register_mytest10(void)
    {
        /* Setup protocol subtree array */
        static int *ett[] = { &ett_mytest_10 };

        proto_mytest_10 = proto_register_protocol(
            "MYTEST v1.0 Protocol", // name
            "MYTEST10", // short name
            "mytest10"); // abbrev

        proto_register_subtree_array(ett, array_length(ett));
    }

    void proto_reg_handoff_mytest10(void)
    {
        static dissector_handle_t mytest10_handle;

        mytest10_handle = create_dissector_handle(dissect_mytest10, proto_mytest_10);
        dissector_add_uint("tcp.port", MYTEST10_PORT, mytest10_handle);
    }


Hi Sjaak,

you probably did not share all the info as this code compiles and run fine on my end (Windows 7 with MSVC2013, does not crash as startup when loading the plugin).
First of all, does Wireshark start properly without your plugin?
If yes, could you share the backtrace (as the wmem assert, by its own, is not that helpful without the context)?
BTW it should be noted that Qt GUI support is quite experimental (and abandoned) in master-1.12 branch. It would be safer to either use GTK in this branch, or switch to master branch if you want to stick to Qt.

Best regards,
Pascal.





----
Sent using GuerrillaMail.com
Block or report abuse: https://www.guerrillamail.com/abuse/?a=VkhmAB4IQqYexQqx5l4IewbCXsKRwNweyLZF



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe