Wireshark-dev: Re: [Wireshark-dev] Start Dissection from an upper layer?
From: Guillaume Bienkowski <[email protected]>
Date: Tue, 10 Jun 2008 15:57:11 +0200

I *kind of* get what you mean, but I really don't know how to do that.

Let me explain what I do:
I use the wireshark library to analyze the packets I send it. The main call to the library is done in my code through:
 epan_dissect_run(edt, &pseudo_header, FakePacket , &fdata, 0);

where FakePacket is a u_char pointer to a memory place where I have the packet I'd like to analyze.
After that, FakePacket is changed to point to a new packet which has to 
be analyzed as well.
What I know is that my packet data will always contain ONLY the 2nd 
layer data (Ethernet) and the encapsulated data (TCP, UDP, ...).
Then what should I do? Modify the packet-eth.c to change the 
"wtap_encap" type?
How can I do that? What constant should I choose then?

Thans in advance,


Gilbert Ramirez a écrit :
How do the 2nd-layer dissectors get called normally? Because thy
register themselves with Wireshark, saying that if "wtap_encap" (the
wiretap encapsulation) is a certain type, then call them.

for example, from packet-eth.c:

dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_maybefcs_handle);
By whatever method you're feeding your packet traces into Wireshark,
if you can cause the wiretap encapsulation type to be a new value that
you create, WTAP_ENCAP_IPX, then you can modify packet-ipx.c to
register itself against "wtap_encap" == WTAP_ENCAP_IPX.  Then the
dissection will happen start at the IPX level.