Hi,
we use a custom dissector to analyze custom protocol traffic. However, to further increase the usability, we need to add protocol analysis specific GUI elements. For now, we are not aware of a way to add a first level plugin which can be called through an encapsulation type from a pcap file. One other point is that we are not able to load a compiled plugin to wireshark, if we don’t build it from source. We can’t link against wireshark and cmake will not load the project if we install wireshark from the APT packages.
- Are implementations available to add an encapsulation type via a plugin?
- Could anybody point us to examples of similar attempts?
- Is there already some work in progress to provide such a plugin mechanism for extending the encapsulation types?
- We noticed that distributed packets, e.g. in Ubuntu 18.04 do not allow for C plugins to be loaded. Do you know if this is common practice?
The approach I generally do is to generate files with one of the USER encapsulations (which are reserved for private use), and then call your plugin using the DLT_USER preferences, as detailed here:
You can then go on to save those DLT_USER preferences in a
configuration profile, and later export that configuration profile and distribute it with your plugin so that it is installed as a globally available configuration profile.
Is there some reason that doesn't work for you? If you're able to generate pcaps with a custom link-layer header type, then you should be able to do that.
Adding a new encapsulation is possible, but to do it properly it's best to keep it in sync with the link-layer header types in libpcap files, which means following the process in
wiretap/pcap-common.cReusing an existing link-layer header type for a different (newly defined) Wireshark encapsulation is strongly discouraged.
John