Wireshark · Wireshark-dev: Re: [Wireshark-dev] Ability to Re-dissect Packets

[Guy Harris <guy@xxxxxxxxxxxx>]

Rick Gudmundson wrote:
> I have some encapsulated packets (ethernet frame is payload of a UDP 
> packet) and I'm trying to find the best way to dissect them.

The best way to dissect them is to take the payload and hand it to the 
Ethernet dissector.

Use find_dissector() in your dissector's handoff routine to get a handle 
for the Ethernet dissector.  If the encapsulated Ethernet frame includes 
the FCS, pass "eth_withfcs" to find_dissector(), otherwise pass 
"eth_withoutfcs" to find_dissector().

Then, in the dissector for this protocol, use tvb_new_subset() to 
construct a tvbuff containing the Ethernet frame, and use 
call_dissector() to call the Ethernet dissector, passing it that tvbuff.

Search for "eth_withfcs" in epan/dissectors/*.c to find some examples, 
e.g. the code to handle bridged PDUs in packet-llc.c