We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-dev: Re: [Wireshark-dev] [HELP]How to dissect a packet without a protocol? It can onl

From: yenan <[email protected]>
Date: Fri, 22 Feb 2008 00:05:55 +0000

Thank you very very much, Holger!!
Using heur_dissector seems I have to dissect whold frame including the mac address, even the header is in prefect Ethernet II frame format?

Date: Thu, 21 Feb 2008 09:15:26 +0100
From: [email protected]
To: [email protected]
Subject: Re: [Wireshark-dev] [HELP]How to dissect a packet without a protocol? It can only be digged out by its Dst Mac or Vlan I

Hi Nan,


you can easily register to a MAC address or any other byte in a frame by using a heuristic dissector.


Register the dissector:

heur_dissector_add("eth", dissect_foo_heur, proto_foo);



Use this dissector function:

static gboolean dissect_foo_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)


  /* check if destination MAC equals 01:02:03:04:05:06 */

  if ( (tvb_get_guint8(tvb, 0) == 0x01) &&

       (tvb_get_guint8(tvb, 1) == 0x02) &&

       (tvb_get_guint8(tvb, 2) == 0xa3) &&

       (tvb_get_guint8(tvb, 3) == 0x04) &&

       (tvb_get_guint8(tvb, 4) == 0x05) &&

       (tvb_get_guint8(tvb, 5) == 0x06) )


    /* do dissecting */




    /* MAC does not match */

    return FALSE;



  return TRUE:




This works perfect for me.






Von: [email protected] [mailto:[email protected]] Im Auftrag von yenan
Gesendet: Donnerstag, 21. Februar 2008 02:00
An: [email protected]
Betreff: [Wireshark-dev] [HELP]How to dissect a packet without a protocol? It can only be digged out by its Dst Mac or Vlan I


Hi folks:
Im writing a plugin for a packet store in the payload of standard "802.1Q Virtual LAN" packet ,this packet does not have protocol itself, it can only be digged by its Dst Mac address or Vlan Id, how could I dissect such a packet?
I tried to use :
register_dissector_table() in  vlan.c to create dissector table for "vlan.id", and in the plugin I used dissector_add() tring to call the dissector, but wont work! so , should I also use : dissector_try_port(), what should I pass in these functions ?
Any information I can read and lean rn for these functions?
And last question, if I try to dig out the packet by its dst mac address, what should I do? I find out the address are in FT_ETHER type, how can I handle such types?
I went through readme.develper couple times, still know very little for wireshark, are there anymore documents will explain the functions and structure in more detail?
Really need help!Thanks millions!Any information will be greatly appreciated!

Windows Live Writer,支持离线撰写博客内容,随时随地想写就写。 立即使用!

Hilscher Gesellschaft für Systemautomation mbH
Rheinstr. 15, 65795 Hattersheim
Sitz der Gesellschaft: Hattersheim
Gesch?ftsführer: Hans-Jürgen Hilscher
Registergericht: Amtsgericht Frankfurt/Main
Handelsregister: Frankfurt B 26873

Windows Live Writer,支持离线撰写博客内容,随时随地想写就写。 立即使用!