Wireshark-dev: Re: [Wireshark-dev] New Protocol encapsulation as plugin

Date: Wed, 27 Jan 2021 14:10:27 +0100

Hello John,

thank you for this idea. This is a way i haven't thought about and this could really be the answer for me, but i have still a problem with my custom dissector. I am not able to find my dissector in the preferences dialog for the DTL_USER link type. I call the register_dissector() function and register my protocol. Could you tell me, if there is something missing to find my dissector plugin in the dialog?

Best regards,

Björn


Am 27.01.21 um 12:54 schrieb John Thacker:
On Wed, Jan 27, 2021 at 6:16 AM Björn <bjoern.petersen@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hi,

we use a custom dissector to analyze custom protocol traffic. However, to further increase the usability, we need to add protocol analysis specific GUI elements. For now, we are not aware of a way to add a first level plugin which can be called through an encapsulation type from a pcap file. One other point is that we are not able to load a compiled plugin to wireshark, if we don’t build it from source. We can’t link against wireshark and cmake will not load the project if we install wireshark from the APT packages.

  1. Are implementations available to add an encapsulation type via a plugin?
  2. Could anybody point us to examples of similar attempts?
  3. Is there already some work in progress to provide such a plugin mechanism for extending the encapsulation types?
  4. We noticed that distributed packets, e.g. in Ubuntu 18.04 do not allow for C plugins to be loaded. Do you know if this is common practice?

The approach I generally do is to generate files with one of the USER encapsulations (which are reserved for private use), and then call your plugin using the DLT_USER preferences, as detailed here:


You can then go on to save those DLT_USER preferences in a configuration profile, and later export that configuration profile and distribute it with your plugin so that it is installed as a globally available configuration profile.

Is there some reason that doesn't work for you? If you're able to generate pcaps with a custom link-layer header type, then you should be able to do that.
Adding a new encapsulation is possible, but to do it properly it's best to keep it in sync with the link-layer header types in libpcap files, which means following the process in wiretap/pcap-common.c
Reusing an existing link-layer header type for a different (newly defined) Wireshark encapsulation is strongly discouraged.

John

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe