Neha Chahal wrote:
I am very new to the ethereal source code. I want to add a dissector
that understands my protocol �" my_proto".
Problem statement:
I have a binary file my_proto_dump.log. This file has packets received
by my application.
What format is that file in?
I want ethereal to read from a binary file packets in my_proto
protocol and then be able to dissect these packets and produce an
output file.
I am having a hard time understanding how to join the pieces together.
I have a few questions about this.
1. To make ethereal dissect my protocol I have to add a dissector,
right ? I would have to add under plugins/my_proto.c � which is my
dissector. This step has been explained nicely in the manual. I did
this.
2. How do I make ethereal call my dissector?
Is your protocol the bottommost protocol (for example, in an Ethernet
capture, the bottommost protocol is Ethernet), or is it a protocol that
runs atop another protocol (for example, in that Ethernet capture, an IP
packet would probably have IP running atop Ethernet)?
3. Do I have to make changes to add my capture file type in the wiretap/ dir.
Only if your binary file is in a format that Wireshark doesn't already
support. If, for example, it's a capture file in the format that
tcpdump/WinDump supports, that's also the standard format that Wireshark
uses, and so you already have code to support it.
4. What is the difference between read and seek_read functions.
The read function is used in TShark, which only does a sequential read
of the file, and in Wireshark when the file is first read in.
The seek_read function is used after that in Wireshark, because packets
aren't necessarily processed in sequential order once the capture has
been read in.
Do I
have to return the packet in the wth->format_buffer?
Presumably you meant "wth->frame_buffer".
If so, then the read routine returns the packet there, and the seek_read
routine returns the packet in the buffer pointed to by the "pd" argument.
Is this packet
used by the dissector to dissect?
Those packet contents are what the dissectors in TShark and Wireshark
dissect.
If yes this packet should have all
the bits I mention in the dissector code ?
It should have all the bits that were captured from the network. :-)
("Bits" here meaning "binary digits" - i.e., it's just the raw contents
of the packet.)
5. After this wht is the ethereal output format. Do I have to specify
the output format also.
What do you mean by "output format"?
The output of a dissector is some protocol tree entries added to the
tree, and information used to generate the columns in the summary
display. Code outside the dissector - code that you will not have to
write or modify, unless your protocol somehow requires some additional
features, which it almost certainly doesn't - turns that into
information in windows on the display, or text in a text file, or XML in
a PSML or PDML file, or.... Those output formats are not anything you
have to deal with.
If your capture file is in a format that Wireshark doesn't currently
support writing, and you want to allow it to read in a file in some
other format and write it out in your format, you'd have to add code to
Wiretap to write that format.
