Wireshark-dev: Re: [Wireshark-dev] WirelessHART/New Protocol DLTs

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Tue, 7 Mar 2017 18:20:23 +0100
On Tue, Mar 07, 2017 at 08:40:51AM -0500, K. Reid Wightman wrote:
> Hi all -
> 
> I'm dusting off a very old research project, to make a useful open
> WirelessHART capture tool and wireshark dissector.
> 
> I encountered this old thread:
> https://www.wireshark.org/lists/wireshark-dev/201107/msg00040.html ,
> wherein Sam Roberts requested a DLT_ value for WIHART, and it was
> assigned value 223.  I grabbed Sam's dissector, changed it slightly to
> use the new DLT, tossed it into my Wireshark plugins directory, and
> modified the KillerBee packet capture tool to record a PCAP with the new
> DLT_ value.
> 
> However, when I try to open said PCAP with Wireshark, Wireshark tells me
> that there is no dissector for DLT 223.  If I open Wireshark's LUA
> evaluator and type the following:
> 
> local wtap_encap = DissectorTable.get("tap_encap")
> local test = wtap_encap:get_dissector(223)
> print("testing for wihart: ", test)
> 
> the console outputs:
> 
> testing for wihart:      WIHART
> 
> So, it seems that the dissector is at least properly registered.  I
> wonder what else is required to make Wireshark try to apply the
> dissector to a pcap when loading the file?

I guess that pcap_to_wtap_map in wiretap/pcap-common.c must be edited to
make the pcap reader recognize this link type. Though I do wonder why
the linktype is assigned, but not listed at
http://www.tcpdump.org/linktypes.html (nor in wiretap/wtap.h).

Guy, any idea?

> I put both Sam Robert's dissector and a sample PCAP on github here, if
> anyone wants to follow along at home:
> https://github.com/reidmefirst/WirelessHART-Parser
> 
> I have tried using the LUA dissector on Wireshark 1.12.1 (on a Debian
> x64 system) as well as 2.2.2 (on a OS X system)...same issue on both
> systems.
> 
> Thanks for any tips,
> Reid
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl