Wireshark-dev: Re: [Wireshark-dev] Questions about dev
From: "Neha Chahal" <[email protected]>
Date: Tue, 7 Nov 2006 10:59:35 -0800
On 11/7/06, Guy Harris <[email protected]> wrote:
Neha Chahal wrote: > I am very new to the ethereal source code. I want to add a dissector > that understands my protocol –" my_proto". > > Problem statement: > > I have a binary file my_proto_dump.log. This file has packets received > by my application. What format is that file in?
The format of the file is binary and the protocol is LEA.
> I want ethereal to read from a binary file packets in my_proto > protocol and then be able to dissect these packets and produce an > output file. > > I am having a hard time understanding how to join the pieces together. > > I have a few questions about this. > > 1. To make ethereal dissect my protocol I have to add a dissector, > right ? I would have to add under plugins/my_proto.c – which is my > dissector. This step has been explained nicely in the manual. I did > this. > 2. How do I make ethereal call my dissector? Is your protocol the bottommost protocol (for example, in an Ethernet capture, the bottommost protocol is Ethernet), or is it a protocol that runs atop another protocol (for example, in that Ethernet capture, an IP packet would probably have IP running atop Ethernet)?
It is a protocol at the application layer. So it is the top most protocol.
> 3. Do I have to make changes to add my capture file type in the wiretap/ dir. Only if your binary file is in a format that Wireshark doesn't already support. If, for example, it's a capture file in the format that tcpdump/WinDump supports, that's also the standard format that Wireshark uses, and so you already have code to support it.
No it is not a format wireshark supports. I tried tethereal on my binary file and it prints a message -- format not supported. The format is LEA format.
> 4. What is the difference between read and seek_read functions. The read function is used in TShark, which only does a sequential read of the file, and in Wireshark when the file is first read in. The seek_read function is used after that in Wireshark, because packets aren't necessarily processed in sequential order once the capture has been read in.
So I have to implement both. Is that true?
> Do I > have to return the packet in the wth->format_buffer? Presumably you meant "wth->frame_buffer". If so, then the read routine returns the packet there, and the seek_read routine returns the packet in the buffer pointed to by the "pd" argument.
So my read routine is returning the packet in wth->frame_buffer. But I have not implementes the seek_read. The README.dev says "implement seek_read if necessary". What does this mean? When is it necessary?
> Is this packet > used by the dissector to dissect? Those packet contents are what the dissectors in TShark and Wireshark dissect. > If yes this packet should have all > the bits I mention in the dissector code ? It should have all the bits that were captured from the network. :-) ("Bits" here meaning "binary digits" - i.e., it's just the raw contents of the packet.)
My packets dont have any transport layer headers. They are in the format I have specified in the dissector. So this is the way my packet looks like. fixed header payload header variable length payload In the dissector I have given protocol details starting from the fixed header. So the packet that I return in the wth->frame_buffer should start from the fixed header to the end of the payload. Is this correct? Where should the data offset point. At the payload header or at the fixed header ?
> 5. After this wht is the ethereal output format. Do I have to specify > the output format also. What do you mean by "output format"? The output of a dissector is some protocol tree entries added to the tree, and information used to generate the columns in the summary display. Code outside the dissector - code that you will not have to write or modify, unless your protocol somehow requires some additional features, which it almost certainly doesn't - turns that into information in windows on the display, or text in a text file, or XML in a PSML or PDML file, or.... Those output formats are not anything you have to deal with.
Yes, thank you, understood now.
If your capture file is in a format that Wireshark doesn't currently support writing, and you want to allow it to read in a file in some other format and write it out in your format, you'd have to add code to Wiretap to write that format.
Okay. So i just want it read the binary stream from a file. This file is created by my application that just dumps incoming LEA format messages in binary format. So I think I need to add a module in the wiretap too. Thank you so much. This has helped me a lot. Excuse me if my questions are naive, but I really need the answers. Hope I have answered your questions in detail and you understand my answers. Thanks a lot. Best Regards Neha
_______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
-- Thanks and Regards, Neha Chahal Cell- 443 207 0414
- Re: [Wireshark-dev] Questions about dev
- From: Guy Harris
- Re: [Wireshark-dev] Questions about dev