Wireshark-dev: Re: [Wireshark-dev] Dissector for link layer to run before ethernet one

From: John Thacker <johnthacker@xxxxxxxxx>
Date: Thu, 20 Jul 2017 07:56:23 -0400

On Thu, Jul 20, 2017 at 7:47 AM, Mihai Cîrîc via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:
Hello all,

I have some capture files with packets encapsulated under ethernet. But
these packets have a short header before the mac addresses and I am
trying to write a dissector that would run before the ethernet one,
parse the header and then call the ethernet dissector to continue parsing
the rest of the packet.

I was not able to find any example of this being done and I guess it would
involve changing the entry in the wtap_encap table to replace the eth
dissector.

Any ideas on how this could be done?

The quickest way is to change the encapsulation of the files to one of the DLT_USER types (say with editcap) and then follow the procedure outlined here:

https://wiki.wireshark.org/HowToDissectAnything

For starters, you can simply skip over your initial header with header_size, and then after you've written your dissector you can call it directly with the header_proto option.

John Thacker