Wireshark-dev: Re: [Wireshark-dev] Questions about dev
From: "Neha Chahal" <[email protected]>
Date: Tue, 7 Nov 2006 10:59:35 -0800
On 11/7/06, Guy Harris <[email protected]> wrote:
Neha Chahal wrote:

> I am very new to the ethereal source code. I want to add a dissector
> that understands my protocol –" my_proto".
> Problem statement:
> I have a binary file my_proto_dump.log. This file has packets received
> by my application.

What format is that file in?
The format of the file is binary and the protocol is LEA.

> I want ethereal to read from a binary file packets in my_proto
> protocol and then be able to dissect these packets and produce an
> output file.
> I am having a hard time understanding how to join the pieces together.
> I have a few questions about this.
> 1.    To make ethereal dissect my protocol I have to add a dissector,
> right ? I would have to add under plugins/my_proto.c – which is my
> dissector. This step has been explained nicely in the manual. I did
> this.
> 2.    How do I make ethereal call my dissector?

Is your protocol the bottommost protocol (for example, in an Ethernet
capture, the bottommost protocol is Ethernet), or is it a protocol that
runs atop another protocol (for example, in that Ethernet capture, an IP
packet would probably have IP running atop Ethernet)?
It is a protocol at the application layer. So it is the top  most protocol.

> 3.    Do I have to make changes to add my capture file type in the wiretap/ dir.

Only if your binary file is in a format that Wireshark doesn't already
support.  If, for example, it's a capture file in the format that
tcpdump/WinDump supports, that's also the standard format that Wireshark
uses, and so you already have code to support it.

No it is not  a format wireshark supports. I tried tethereal on my
binary file and it prints a message -- format not supported. The
format is LEA format.

> 4.    What is the difference between read and seek_read functions.

The read function is used in TShark, which only does a sequential read
of the file, and in Wireshark when the file is first read in.

The seek_read function is used after that in Wireshark, because packets
aren't necessarily processed in sequential order once the capture has
been read in.

So I have to implement both. Is that true?

> Do I
> have to return the packet in the wth->format_buffer?

Presumably you meant "wth->frame_buffer".

If so, then the read routine returns the packet there, and the seek_read
routine returns the packet in the buffer pointed to by the "pd" argument.
So my read routine is returning the packet in wth->frame_buffer. But I
have not implementes the seek_read. The README.dev says "implement
seek_read if necessary". What does this mean? When is it necessary?

> Is this packet
> used by the dissector to dissect?

Those packet contents are what the dissectors in TShark and Wireshark

> If yes this packet should have all
> the bits I mention in the dissector code ?

It should have all the bits that were captured from the network. :-)

("Bits" here meaning "binary digits" - i.e., it's just the raw contents
of the packet.)
My packets dont have any transport layer headers. They are in the
format I have specified in the dissector. So this is the way my packet
looks like.

fixed header
payload header
variable length payload

In the dissector I have given protocol details starting from the fixed
header. So the packet that I return in the wth->frame_buffer should
start from the fixed header to the end of the payload. Is this

Where should the data offset point. At the payload header or at the
fixed header ?

> 5.    After this wht is the ethereal output format. Do I have to specify
> the output format also.

What do you mean by "output format"?

The output of a dissector is some protocol tree entries added to the
tree, and information used to generate the columns in the summary
display.  Code outside the dissector - code that you will not have to
write or modify, unless your protocol somehow requires some additional
features, which it almost certainly doesn't - turns that into
information in windows on the display, or text in a text file, or XML in
a PSML or PDML file, or....  Those output formats are not anything you
have to deal with.
Yes, thank you, understood now.
If your capture file is in a format that Wireshark doesn't currently
support writing, and you want to allow it to read in a file in some
other format and write it out in your format, you'd have to add code to
Wiretap to write that format.
Okay. So i just want it read the binary stream from a file. This file
is created by my application that just dumps incoming LEA format
messages in binary format. So I think I need to add a module in the
wiretap too.

Thank you so much. This has helped me a lot. Excuse me if my questions
are naive, but I really need the answers. Hope I have answered your
questions in detail and you understand my answers.

Thanks a lot.

Best Regards
Wireshark-dev mailing list
[email protected]

Thanks and Regards,
Neha Chahal
Cell- 443 207 0414