Wireshark-dev: Re: [Wireshark-dev] Start Dissection from an upper layer?
From: Guillaume Bienkowski <[email protected]>
Date: Tue, 10 Jun 2008 16:21:52 +0200
Argh, I just poorly explained myself: I was just confused with Ethernet and IP.
So I confirm, I get only "data" from the 3rd layer (IP)
Actually, it will always be IP datagrams, so I don't have to bother with IPX or other fancy 3rd layer protocols).
What I'd like to do now to start the dissection from the 3rd layer, so 
that I only have one modification to do (the "ip" dissector).
What I don't understand is how to make the IP protocol register itself 
as a "1st layer" protocol (meaning: the dissection should start by 
seeking IP headers).
The packet-ip.c has this:

   dissector_handle_t ip_handle;

       data_handle = find_dissector("data");
       ip_handle = find_dissector("ip");
   tapa_handle = find_dissector("tapa");
   dissector_add("ethertype", ETHERTYPE_IP, ip_handle);
   dissector_add("ppp.protocol", PPP_IP, ip_handle);
   dissector_add("ppp.protocol", ETHERTYPE_IP, ip_handle);
   dissector_add("gre.proto", ETHERTYPE_IP, ip_handle);
   dissector_add("gre.proto", GRE_WCCP, ip_handle);
   dissector_add("llc.dsap", SAP_IP, ip_handle);
   dissector_add("ip.proto", IP_PROTO_IPIP, ip_handle);
   dissector_add("null.type", BSD_AF_INET, ip_handle);
   dissector_add("chdlctype", ETHERTYPE_IP, ip_handle);
   dissector_add("osinl.excl", NLPID_IP, ip_handle);
   dissector_add("fr.ietf", NLPID_IP, ip_handle);
   dissector_add("x.25.spi", NLPID_IP, ip_handle);
dissector_add("arcnet.protocol_id", ARCNET_PROTO_IP_1051, ip_handle); dissector_add("arcnet.protocol_id", ARCNET_PROTO_IP_1201, ip_handle);
   dissector_add_handle("udp.port", ip_handle);

What should I change in there?

Gilbert Ramirez a écrit :
On Tue, Jun 10, 2008 at 7:27 PM, Guillaume Bienkowski
<[email protected]> wrote:

> What I know is that my packet data will always contain ONLY the 2nd
> layer data (Ethernet) and the encapsulated data (TCP, UDP, ...).

I think I misunderstood you. I thought your packets started at IP or
IPX.  Is that not the case?

Wireshark-dev mailing list
[email protected]