Wireshark-dev: Re: [Wireshark-dev] Questions about dev
From: "Kukosa, Tomas" <[email protected]>
Date: Wed, 8 Nov 2006 08:51:16 +0100

I use a little bit differen solution for a similar problem.
Sometimes I need to dissect proprietray protocols from tracesfiles not
supported by Wireshark.
I use following way:
1) convert trace file to pcap format with linktype DLT_USERx (x=0-15)
   simple conversion tool can be written in Perl, Python or whatever you
2) register my dissector to WTAP_ENCAP_USERx;
   dissector_add("wtap_encap", WTAP_ENCAP_USERx, my_proto_handle);

The advantage is that it does not need any changes (and recompilation)
in Wireshark.


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Neha Chahal
Sent: Tuesday, November 07, 2006 9:13 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Questions about dev

On 11/7/06, Guy Harris <[email protected]> wrote:
> Neha Chahal wrote:
> > The format of the file is binary
> "Binary" isn't a format for a packet capture; there are several
> file formats, all of which are binary, but they're not all the same.
> What *specific* binary format is it?
> Is this some standard format (libpcap format as used by
> tcpdump/WinDump/Wireshark/etc., DOS Sniffer format, Windows Sniffer
> format, Microsoft Network Monitor format, Sun snoop format, etc.), or
> it some format you or somebody else has created?

Yes it is "not" one of these formats. The packets are in LEA binary
> > and the protocol is LEA.
> What protocol is that?

Law Enforcement Agency protocol for call tracing(lawful intercept

> > It is a protocol at the application layer. So it is the top  most
> What protocol does it run atop?  TCP?  UDP?  Some other protocol?

On top of UDP for my application.

> > So I have to implement both. Is that true?
> Yes, you have to implement both read and seek_read functions.
> > So my read routine is returning the packet in wth->frame_buffer. But
> > have not implementes the seek_read. The README.dev says "implement
> > seek_read if necessary". What does this mean?
> It means that the documentation hasn't been updated to indicate that
> there's no longer a "default" seek_read routine that a file format
> module can use, so modules always have to have their own seek_read
> routine.  (I've just checked in a change to wiretap/README.developer
> fix that.)
> > When is it necessary?
> Always.
> > My packets dont have any transport layer headers. They are in the
> > format I have specified in the dissector. So this is the way my
> > looks like.
> >
> > fixed header
> > payload header
> > variable length payload
> So are you saying that the *ONLY* protocol in the packet is this "LEA"
> protocol?

Yes, only LEA.

> > In the dissector I have given protocol details starting from the
> > header. So the packet that I return in the wth->frame_buffer should
> > start from the fixed header to the end of the payload. Is this
> > correct?
> Yes.
> > Where should the data offset point. At the payload header or at the
> > fixed header ?
> At the fixed header - it's the offset to which the seek_read routine
> would need to seek to get the entire packet.


So once I am done doing these changes. How do I test my changes?
Should I do a make install. And then run tethereal on my binary file.
Currently I am working on the ethereal tar, I downloaded.

Thank you very much, forgive me if I sound stupid. But I am very new
to ethereal/wireshark.

> _______________________________________________
> Wireshark-dev mailing list
> [email protected]
> http://www.wireshark.org/mailman/listinfo/wireshark-dev

Thanks and Regards,
Neha Chahal
Cell- 443 207 0414
Wireshark-dev mailing list
[email protected]