Wireshark-dev: Re: [Wireshark-dev] Wireshark Dissector issue
From: "Martin Mathieson" <[email protected]>
Date: Wed, 5 Nov 2008 13:52:59 -0500

On Wed, Nov 5, 2008 at 12:41 PM, Sean <[email protected]> wrote:

I'm new for Wireshark,
I'd like to implement a wireshark dissector for a selfdefined protocol,
there is an issue:
the packet data can't be decoded by the packet data itself,
so does there any methods for passing some options/chooses to Wireshark for additional information of decoding the packet data?

As an example, the data packet can be decoded as different structures depending on the data packet type,
and I don't want to modify the packet data itself,
does anyone have any information on how to implement this feature?

Your help is highly appreciated.


I've faced the same issue when decoding user-plane protocols, which often rely upon information that isn't in the packet.

My approach has been to write the dissector to look up per-packet info (using p_get_proto_data()), and cast it to a struct that contains the additional information needed to do the decode (and in some cases, info not strictly-speaking needed for the decode but nice to display along with the actual decode).  See packet-umts_fp.c for an example of looking up and using the information in the struct (I have 3 LTE dissectors that work in a similar way that I'll try to check in soon).  If the same info applies to the whole capture, you may be able to store it in conversation info, or even just globally.

How you get the information into the struct is another matter.  The file format that I use is more of a log format than a raw catpure format, so that extra information is available in the capture file and a dissector that understands the meta-information found in the file can attach this information before passing the real data to the actual protocol dissector (in this case, either packet-catapult-dct2000.c or packet-k12.c).

The other option, especially if the extra information is pretty static, might be to add dissector preferences where you can type in settings that affect how the decode is done.

Hope this helps,


Wireshark-dev mailing list
[email protected]