Wireshark · Wireshark-dev: Re: [Wireshark-dev] protocol question

[Guy Harris <guy@xxxxxxxxxxxx>]

f27jx652 wrote:
> Do you provide guidelines for development of in-house (private) 
> protocols/capture filters for use with Ethereal/Wireshark?

The term "capture filter" refers to the filters used when capturing 
traffic.  Those filters are implemented in libpcap/WinPcap, not in 
Wireshark; if you wanted to add additional capabilities to them, you 
would have to modify libpcap.

In addition, note that they are implemented using an interpreter for a 
simple pseudo-machine-language, so that a filter "program" can be safely 
added into the kernel (filtering is done in the kernel on a number of 
platforms, so packets that don't match the filter aren't copied to user 
space, saving CPU time).  Therefore, there are only a limited number of 
things that can be tested in a capture filter.

> Where can I 
> add SMS, Wap Push & SMS protocol capturing abilities?

If the traffic in question is going over a link-layer type on which 
Wireshark can already capture, there are no capabilities that need to be 
added.

If it's going over a link-layer type on which Wireshark can't capture, 
that would, again, require changes to libpcap/WinPcap, as packet 
capturing in Wireshark is done in libpcap/WinPcap.

Note, however, that packet *capturing* and packet *dissection* are 
completely decoupled.  Wireshark can dissect packets that it can't 
capture (because it can read them from capture files from other 
analyzers that can capture traffic on link-layer types on which 
libpcap/WinPcap can't capture), and it can capture traffic that it can't 
completely dissect (because it doesn't have dissectors for all the 
protocol layers in the packet).

Are you trying to add the ability to *capture* that traffic, or 
*dissect* it?  I think our WAP dissector can already dissect push 
traffic; we might have dissectors for at least some protocols used for SMS.