Wireshark-dev: Re: [Wireshark-dev] Clarifications regarding building wireshark

From: Dario Lombardo <lomato@xxxxxxxxx>
Date: Mon, 16 Mar 2020 09:21:11 +0100


On Mon, Mar 16, 2020 at 7:37 AM Ankish Shah <ankishshah998998@xxxxxxxxx> wrote:
I've downloaded and built wireshark on Ubuntu machine and I was going through the documentation of building new dissectors.
I have a couple of doubts. 
1. When I write code for a new dissector, do I have to build the entire wireshark once again (it takes around 10-12 mins on my system), or is there any option to compile only the new files and see the results?

The build system just compiles what changed on disk. You can skip the linking phase, if you want to just compile your dissector, by issuing make/ninja epan/dissectors/CMakeFiles/dissectors.dir/packet-dns.c.o (to compile packet-dns.c, for instance). But this won't give you a fully functional wireshark, just serves to see if your dissector compiles.
 
2. Once I code new dissectors, how do I test it using wireshark? For example, if you create a dissector to capture packets on port '12345' and the packet includes a flag bit and an ipv4 address, how do you actually create the packet, send it on port 12345 and see the results on wireshark?

You have bunch of options here. From writing a pcap file manually yourself, to write your payload manually and send it through the network with netcat, to use high level software such as scapy. It really depends on your knowledge of the protocol and on your confidence with the raw hex writing. Wireshark doesn't give support for writing sample captures. My suggestion is: start from an existing capture (in pcap format, that is easier), modify it with hex editors such as ghex2 on ubuntu, and open it from disk with wireshark, without involving the network. After all you're working on a dissector that works both on captured or saved traffic.