Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Start Dissection from an upper layer?

From: Guillaume Bienkowski <guillaume.bienkowski@xxxxxxxxxxxx>
Date: Tue, 10 Jun 2008 16:21:52 +0200
Argh, I just poorly explained myself: I was just confused with Ethernet and IP.

So I confirm, I get only "data" from the 3rd layer (IP)
Actually, it will always be IP datagrams, so I don't have to bother with IPX or other fancy 3rd layer protocols).

What I'd like to do now to start the dissection from the 3rd layer, so that I only have one modification to do (the "ip" dissector).

What I don't understand is how to make the IP protocol register itself as a "1st layer" protocol (meaning: the dissection should start by seeking IP headers).

The packet-ip.c has this:


void
proto_reg_handoff_ip(void)
{
   dissector_handle_t ip_handle;

       data_handle = find_dissector("data");
       ip_handle = find_dissector("ip");
   tapa_handle = find_dissector("tapa");
   dissector_add("ethertype", ETHERTYPE_IP, ip_handle);
   dissector_add("ppp.protocol", PPP_IP, ip_handle);
   dissector_add("ppp.protocol", ETHERTYPE_IP, ip_handle);
   dissector_add("gre.proto", ETHERTYPE_IP, ip_handle);
   dissector_add("gre.proto", GRE_WCCP, ip_handle);
   dissector_add("llc.dsap", SAP_IP, ip_handle);
   dissector_add("ip.proto", IP_PROTO_IPIP, ip_handle);
   dissector_add("null.type", BSD_AF_INET, ip_handle);
   dissector_add("chdlctype", ETHERTYPE_IP, ip_handle);
   dissector_add("osinl.excl", NLPID_IP, ip_handle);
   dissector_add("fr.ietf", NLPID_IP, ip_handle);
   dissector_add("x.25.spi", NLPID_IP, ip_handle);
dissector_add("arcnet.protocol_id", ARCNET_PROTO_IP_1051, ip_handle); dissector_add("arcnet.protocol_id", ARCNET_PROTO_IP_1201, ip_handle);
   dissector_add_handle("udp.port", ip_handle);
}

What should I change in there?



Gilbert Ramirez a �crit :

On Tue, Jun 10, 2008 at 7:27 PM, Guillaume Bienkowski
<guillaume.bienkowski@xxxxxxxxxxxx> wrote:

>
> What I know is that my packet data will always contain ONLY the 2nd
> layer data (Ethernet) and the encapsulated data (TCP, UDP, ...).
>

I think I misunderstood you. I thought your packets started at IP or
IPX.  Is that not the case?

--gilbert
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev