Wireshark-dev: Re: [Wireshark-dev] Use ethereal as a proprietary protocol parser; no ethernet/IP decoding

From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Thu, 01 Feb 2007 17:13:39 +0800

Tom McLaughlin wrote:

Hello,
I work for a company that build proprietary communication systems for the utility industry.  We have a proprietary communcation protocol that can be wrapped in several standard protocols.  I would like to build a log parser that looks like Ethereal for our protocol if possible.  This would not be a new dissector from what I understand for other protocols wrapped in Ethernet or IP.

Basically, get Ethereal to read in a file with a bunch of hex strings, somewhere define what the fields are, and use the Ethereal gui.

You've got at least a couple options to use Wireshark for this:

1) write your protocol out in libpcap format. If one of the existing link types for libpcap does not fit your protocol then you could ask the libpcap people (tcpdump.org) to allocate a new DLT_ value for your lowest-level protocol. Then add support for that link type to Wireshark's wiretap library and then write a dissector that registers with Wireshark for that link type.

2) if you've already got a file format [and you don't want to change it], you could add support in Wireshark's wiretap library for that log file and then (again) write a dissector that registers to receive the read-in data. You mentioned a file with a bunch of hex strings which makes me think it's an ASCII file which makes me think that reading and processing that file wouldn't be fun, but I imagine it would still be possible.