On Sep 19, 2006, at 12:24 PM, Bard Jason A NPRI wrote:
I have been trying to figure how, if possible, I can write a
"module" that will further decode data in a UDP packet for
troubleshooting in the Packet Details window. So rather than the
rest of the packet after the User Datagram Protocol being lumped
into "Data" which I have to look at in hex, I would have another
subtree that would break down the info in the data portion into a
more human readable format (the data is binary).
So I presume the data in that UDP packet is a message for some
particular protocol?
If so, then, as Jaap Keuter noted, you'd want to write a dissector for
that protocol.
I have something that does this now, but only in Etherpeek, they
call them Analysis Modules.
So what exactly is it that an EtherPeek Analysis Module does? I
searched for "analysis module" on the Wildpackets Web site, and found
something that said about analysis modules for AirpPeek NX:
Analysis Modules
Analysis Modules are external modules that provide expert analysis
features to the
program. An Analysis Module tests network traffic and provides
detailed summaries
and counts of key parameters of one specific type of traffic, posting
its results in the
Summary Statistics window and/or in the Summary column of the Packets
view of
Capture windows and Packet File windows.
However, that doesn't sound like something that "further decodes
data", it sounds as if it performs statistical analysis on data that's
already been decoded. The *Peek term for what are called "dissectors"
in Wireshark is "decode" or "protocol decoder"; if you want a subtree
in the packet detail pane for the data in a UDP packet, you would, in
*Peek terminology, want a decode/protocol decoder for the protocol for
that data, not an analysis module.