Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] what parameters for dissector_add() for a non-nested protoco

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 16 Jul 2007 15:12:02 -0700

On Jul 16, 2007, at 7:02 AM, Fulko.Hew@xxxxxxxxx wrote:

The normal approach is to have (for a frame level dissector):

 dissector_add("wtap_encap", WTAP_ENCAP_MYTYPE, mytype_handle);

OR something like this for a nested dissector (where its based
on data in the super-frame (I think)):

 dissector_add("ip.proto", SOME_INDICATOR, mytype_handle);

The normal approach, if you have a value of *any* sort (whether it's the link-layer encapsulation type, a field in a protocol, a field in a pseudo-header, a user preference, the current phase of the moon, ...) is to have

dissector_add(dissector table name, value in that table, mytype_handle);

The distinction between the two cases you give is not a distinction that the Wiretap code makes, nor is it a distinction that we want to make in the documentation.

But I in my case, my (sub)dissector protocol isn't a WTAP type,
nor is it (really) sub-protocol of a super-frame type (in my
first scenario).

As indicated, that doesn't mean you shouldn't have a dissector table and have sub-dissectors register in it. You could, for example, create a dissector table named "acn.proto" (or "acn_proto", or "roland.the.headless.thomson.gunner" - the name is not tied to anything else in Wireshark other than the calls that add to it) by calling "register_dissector_table()":

acn_dissector_table = register_dissector_table("acn.proto", "ACN protocol number", FT_UINT32, BASE_HEX);

have the dissector for your private WTAP type do

if (!dissector_try_port(acn_dissector_table, pinfo->pseudo_header- >acn.proto, tvb, pinfo, tree))
		call dissect_data to dissect the data, or something such as that

rather than checking for different values of pinfo->pseudo_header- >acn.proto, and, for example, have the "ipars" dissector do

	dissector_add("acn.proto", 0x5, ipars_handle);

What I think I want to is something like:

 dissector_add("", NULL, mytype_handle);

just to make it aribitrarily available for that explicit call.

As you've discovered, if you want to have a dissector callable via call_dissector(), you have to register that dissector by name with register_dissector() - and you find the handle for the dissector by calling find_dissector() with that name.

However, that's not necessarily what you want to do.