Wireshark-dev: Re: [Wireshark-dev] How to use Wireshark dissectors and header fields? (looking

From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Fri, 8 Sep 2017 16:39:18 +0200
Hi Christopher,

there are several ways of writing a Wireshark dissector (using C or Lua for example). It's up to you to decide which one is the most comfortable for you.
I highly encourage you to read the Sharkfest presentation 'Writing a dissector: 3 ways to eat bytes' done by Graham Bloice. The powerpoint presentation should hoepuffly clarifies things and it even comes with samples: https://sharkfest.wireshark.org/assets/presentations16/03.7z

Wireshark own documentation is mostly about C based dissectors, because that's how all dissectors were written initially. You should also read https://www.wireshark.org/docs/wsdg_html_chunked/ and other files found in the doc folder of the source code.

Good luck and best regards,
Pascal.

2017-09-07 18:43 GMT+02:00 <Christopher.Lusardi@xxxxxxxxxxxxxxxx>:

Hello, what useful things can you give me?

 

I’m looking for step by step description which is at the level of push this button, select this from this menu, type this, etc. I.E.: I’m looking to be able write a dissector like an expert with 10 years of experience. Is anyone up to the task?

 

Also, do you have any really useful videos or Internet links that I should study?

 

Background:

 

I'll explain to you what my team first wants accomplished.

I will explain to you what engineering data units we want. We want to display engineering units instead of hexadecimal digits in data fields of various messages in our protocol. Simply my first task, all we want are 3 "on" and "off" values and 2 integer values.

Caveat: In this background description, I'm using all make believe data from a Wireshark Captured data. My team doesn't want me to publish actual data.

(1) Captured Wireshark data from three areas of Wireshark:

No. Time     Source    Destination   Protocol Length Info

8   0.055974 192.2.4.8 240.199.089.0 UDP      60     53016->53016 Len=4

Message:

Data (4 bytes)

      Data: 2043c0bd

      [Length: 4]

Raw Data:

20   43   c0   bd

(2) My explanation of the above hexadecimal data:

Byte 1:  20

Byte 2:  43

Byte 3:  c0

Byte 4:  bd

Above byte 1 has only 3 bits (above right 3 bits) that have to be translated to "on" or "off" values. I.E.: We want to see "on" or "off" instead of "1" and "0." The other bits (above left 5 bits) can be ignored and not shown at all in the message window. They'll still be visible in the raw data. The 3 right bits represent 3 separate switches.

Above bytes 2 through 4 have two integer values from -127 to 127. Again some of the bits will not be used and can be ignored and not shown at all in the message window. They'll still be visible in the raw data. The bits that makeup the two integer values are distributed in the 3 above bytes and are not consecutive. Here is the actual placement of the 16 bits that makeup the two integer values between -127 to 127. These two integer values represent a single joystick which can be moved left or right from a resting position.

0   1    0    0   X7   X6   Y7   Y6

1   1   X5   X4   X3   X2   X1   X0

1   0   Y5   Y4   Y3   Y2   Y1   Y1

So, my team wants me to pick out the above bits to create and display two integer values.

X7  X6  X5  X4  X3  X2  X1  X0  Equals some value from -127 to 127

Y7  Y6  Y5  Y4  Y3  Y2  Y1  Y0  Equals some value from -127 to 127

FYI: This is only my preliminary initial task. I.E.: This is the first message that my team wants me to create a dissector for. There are other messages that I will be given later to work on and display in a nice way.

 

FYI: By "left" and "right", as in "left 5 bits" and "right 3 bits", I mean "upper" and "lower", so that the high-order bit, and the 4 bits below it, are the "left 5 bits", and the 3 bits below that, going down to the low-order bit, are the "right 3 bits", so that, for 0x20, which is 00100000 in binary, the "left 5 bits" are "00100", and the "right 3 bits" are "000", and all 3 bits are "off", and the "00100" can be ignored.

 

QUESTIONS:

 

Question 1: Can someone give me a step by step procedure to build a useful working dissector that will run on Windows? Again, I’m looking for a detailed enough description that a 15 year old could follow.

 

I’m not a complete numbskull. Yes, I have never worked with a dissector before, but I’m a fairly good C/C++ programmer.

 

Are there different kinds of dissectors, please explain?

 

I have looked at the following Developer’s guide, but since I’m a novice I get easily lost and cannot use it.

 

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=doc/README.dissector

 

I have attached a screen dump showing the contents of my Wireshark folder along with a greatly edited screen dump showing some of the protocols on my laptop. I was thinking these may help you find a few example dissectors that will work on Windows. I have also attached an edited screen dump showing my system configuration. (I deleted what looked like IP address’ from the screen dumps.)

 

Question 2: The file packet-PROTOABBREV.c mentioned in the Wireshark Developer's guide doesn't look anything like the file in the YouTube video (see the code in this video starting at 5 seconds: Packet Class: Wireshark - Lua Protocol Dissectors), why is that? I do not have Lua installed on my laptop!

 

packet-PROTOABBREV.c 

https://github.com/boundary/wireshark/blob/master/doc/packet-PROTOABBREV.c

 

Video:

https://www.youtube.com/watch?v=I4nf23HywmI

 

Question 3: How can I use header fields to solve my above problem a different way? Again, I would like a simple but useful working example.

 

Question 4: How does a novice use the Wireshark Developer’s guide?

 

Question 5: So, can you give me a link to some working dissectors that I can use on my Windows laptop.

 

Question 6: What are the limitations on using dissectors versus header fields?

 

I’m hoping that I can get some useful examples that I can modify to meet my needs at work. The more the merrier!

 

Thank you,


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe