Wireshark · Ethereal-users: Re: [Ethereal-users] How do I make Ethereal decode a new protocol?

Ethereal-users: Re: [Ethereal-users] How do I make Ethereal decode a new protocol?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Tue, 3 Jul 2001 11:49:23 -0700

On Tue, Jul 03, 2001 at 04:30:55PM +0200, Carsten Fuchs wrote:
> I'm pretty new to Ethereal and using it
> because I am developing an application that implements
> its own network protocol on top of the UDP protocol.
> 
> Now, it would be nice if I could make Ethereal
> parsing (decoding) my own packets such that I get
> them decoded in the protocol tree view.
> Is that possible?

Yes.

> If yes, how?

Step 1: write a dissector module.  See the various "README" files in the
"doc" subdirectory of the Ethereal source directory, and look at various
other dissectors for protocols running atop UDP as examples.

If your protocol has a particular port number, it should register itself
with the UDP dissector using that port number - see, for example, the
RIP dissector, in "packet-rip.c".

If it runs on a specific port number, but the port number is
configurable, do the same, but make the port number a settable
preference - see, for example, the BXXP dissector, in "packet-bxxp.c".

If there's some way for the dissector to reliably determine, by looking
at some of the packet's content, whether it's a packet for your protocol
or not, it should do that and register itself as a "heuristic" dissector
with the UDP dissector - see, for example, the ONC RPC and DCE RPC
dissectors, in "packet-rpc.c" and "packet-dcerpc.c".

If some *other* protocol specifies, in its packets, that a particular
port number should be used, that dissector might be able to, if it sees
a packet specifying that, indicate that future traffic with a particular
IP address or addresses and a particular port number should be dissected
as traffic for your protocol, by creating a "conversation" with the
address(es) and port, and making your dissector the dissector for that
conversation - see, for example, the RTSP dissector, in "packet-rtsp.c",
which sets up conversations, and the RTP and RTCP dissectors, in
"packet-rtp.c" and "packet-rtcp.c".  If you do that, your dissector
should also register itself as a dissector that the user can assign to a
particular conversation by hand, using the "Decode As" menu item under
the "Tools" menu; it does that using the "conv_dissector_add()" routine,
as does, for example, the RTP dissector.

Follow-Ups:
- [Ethereal-users] Ethereal 8.18, Unable to build with SNMP on RH 7.1 because ./configure thinks 'sprint_objid' is missing
  - From: Ron Flory

References:
- [Ethereal-users] How do I make Ethereal decode a new protocol?
  - From: Carsten Fuchs

Prev by Date: Re: [Ethereal-users] Support for M3UA over TCP
Next by Date: Re: [Ethereal-users] Interfaces ??
Previous by thread: [Ethereal-users] How do I make Ethereal decode a new protocol?
Next by thread: [Ethereal-users] Ethereal 8.18, Unable to build with SNMP on RH 7.1 because ./configure thinks 'sprint_objid' is missing
Index(es):
- Date
- Thread