Wireshark · Ethereal-dev: [Ethereal-dev] dissector newbie needs some guidence..

["Kelly Byrd" <kbyrd-ethereal@xxxxxxxxxx>]

I want to write a DAAP dissector (the protocol itunes uses to share
songs on the network) and I'm a bit lost on the  basics of writing
a dissector.

DAAP uses HTTP as a transport (on port 3689), the body of the
requests and repsonses are not plain text, but a simple tagged
format: 4 char tagname, followed by a 4 bytes length, then "length"
bytes of data. Some tags are containers, whose data portion is other
tags of the same format. DAAP messages will span segments, and
responses are often gzip encoded. There's a few specs around, and I'm
comfortable with code that deals with the format.

How should I register my dissector? I looked at packet-ipp, which
registers as a sub-dissector of http. I also looked at packet-text-media
which appears to  be a system of registering dissectors as mime types,
like packet-gif (the content-type header for DAAP is application
/x-dmap-tagged).

Which  do I use?  What are the advantages of each method, in fact, when
is something like packet-gif called?  When I  register as a http
sub-dissector, where is the tvbuff passed to me pointing, at the start
of the body? Is there any way to get the URL used for a request message
(I may not need it, so it's not a deal-breaker, if one method doesn't
allow it).

Thanks for any advice, sorry if this a RTFM question.

KB