Wireshark · Wireshark-dev: Re: [Wireshark-dev] How do I make use of my dissector.

[Guy Harris <guy@xxxxxxxxxxxx>]

On Nov 17, 2006, at 2:53 PM, Neha Chahal wrote:

> I have a dissector and a capture file. I am not capturing packets on  
> the network.
>
> This is how I execute tethereal.
>
> tethereal -r capture.out -V -T pdml
>
> 1. I wrote a module in the wiretap/ dir and tethereal is able to  
> understand the format of my capture file. Here I think the seek_read  
> method is not bieng called. Isn't this the method that gives the  
> packet to the dissector?

No.

That is one of the *two* methods that are called by the code that,  
after calling those methods and getting packet data, calls the top- 
level dissection code.

The other method is the read method.  Since TShark (which is what you  
should be using, not tethereal; see the parenthetical note below)  
sequentially reads through the capture file, it uses only the read  
method, not the seek_read method.

(Note that any help we give you will be help that pertains to working  
with the latest version of the code, and the latest version is called  
Wireshark, not Ethereal, and the command-line version is called  
TShark, not Tethereal; if you're going to be developing protocols, I  
strongly suggest that you do so with the latest release of Wireshark,  
or with the top-of-tree Subversion tree of Wireshark, rather than with  
the last version of Ethereal that was ever produced.)

> 2. But my problem is that it doesnot call my dissector.
>
>    in the dissector code I have the -->  
> dissector_add("udp.port" , ...) .
>
> Question is : I want to use a capture a file not a port to listen on.

The "port" refers to the source and destination port fields in the UDP  
header, not to a network port on which you would be capturing.

That call implies that your protocol runs on top of UDP.  Either

	1) it has a standard UDP port number that it always uses, in which  
case you specify that UDP port number

or

	2) it doesn't have a standard UDP port number, in which case you will  
have to do one of the following:

		1) write a heuristic dissector that looks at packets and tries to  
determine whether they look like packets for your protocol;

		2) add a preference setting to your dissector, allowing one or more  
UDP port numbers to be specified, and register it using those port  
numbers (and re-register if that preference is changed) - you'd be  
able to set that preference value from the command line in TShark with  
the "-o" option;

		3) register it as a UDP dissector with no port number and, in a  
capture, select a packet that you think is a packet for your protocol  
and use the "Decode As" menu item to decode it using your dissector -  
that, obviously, won't work with TShark at all.

> Is there some thing else I need to specify instead of the "  
> udp.port", if I have to what is this ? Does it matter?

See above.


> 3. I know my dissector registers with tethereal. But I dont know on  
> what criteria does tethereal decide to call my dissector.

See above.  It has to register itself in such a way as to *tell*  
Wireshark or TShark when to call it, for example, by registering as a  
heuristic dissector (in which case it's called if no other dissector  
has dissected it yet, and your dissector either returns FALSE to  
indicate that it's not a packet for your protocol or dissects it and  
returns TRUE to indicate that it is a packe for your protocol), or by  
registering with the "udp.port" dissector table with a particular port  
number (in which case a UDP packet to or from that port number will be  
dissected by your dissector), or by registering it as a UDP dissector  
with no port number (in which case it'll be used to dissect packets if  
you tell Wireshark to do so using Decode As).

> 4. Currently the output with -V option shows the bytes in each frame  
> but the protocol is "data". Also I tried printing some logs in the  
> call_dissector method and saw the current_protocol values to be  
> FRAME, DATA and MATE at runtime. I want this to be my protocol.
>
> This is what my output look like
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> The current protocol is [<Missing Protocol Name>] The protocol is  
> [Frame]: The protocol is [Data]:  The current protocol is [Frame]  
> The protocol is [MATE]:
> <packet>
>   <proto name="geninfo" pos="0" showname="General information"  
> size="25">
>     <field name="num" pos="0" show="15" showname="Number" value="f"  
> size="25"/>
>     <field name="len" pos="0" show="1149" showname="Packet Length"  
> value="47d" size="25"/>
>     <field name="caplen" pos="0" show="25" showname="Captured  
> Length" value="19" size="25"/>
>     <field name="timestamp" pos="0" show="Nov  9, 2006 10:39:  
> 34.000634553" showname="Captured Time" value="1163097574.000634553"  
> size="25"/>
>   </proto>
>   <proto name="frame" showname="Frame 15 (1149 bytes on wire, 25  
> bytes captured)" size="25" pos="0">
>     <field name="frame.marked" showname="Frame is marked: False"  
> hide="yes" size="0" pos="0" show="0"/>
>     <field name="frame.time" showname="Arrival Time: Nov  9, 2006  
> 10:39: 34.000634553" size="0" pos="0" show="Nov  9, 2006  
> 10:39:34.000634553"/>
>     <field name="frame.time_delta" showname="Time delta from  
> previous packet: 0.000017267 seconds" size="0" pos="0" show="  
> 0.000017267"/>
>     <field name="frame.time_relative" showname="Time since reference  
> or first frame: 0.000024200 seconds" size="0" pos="0"  
> show="0.000024200"/>
>     <field name="frame.number" showname="Frame Number: 15" size="0"  
> pos="0" show="15"/>
>     <field name="frame.pkt_len" showname="Packet Length: 1149 bytes"  
> size="0" pos="0" show="1149"/>
>     <field name="frame.cap_len" showname="Capture Length: 25 bytes"  
> size="0" pos="0" show="25"/>
>     <field name="frame.protocols" showname=" Protocols in frame:  
> data" size="0" pos="0" show="data"/>
>   </proto>
>   <field name="data"  
> value="85e4c90400095031455375e670001902000d00ce000f0800e6"/>
> </packet>
> </pdml>

There's no UDP in there, there's just "data".  Registering with a  
particular UDP port won't do you any good, there - and neither will  
registering as a heuristic dissector for UDP.

What protocols are in the capture file you're reading?