Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Adding new dissectors

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 13 Mar 2009 20:16:16 -0700

On Mar 11, 2009, at 10:52 PM, Rayne wrote:

I would like to know if adding a new dissector would require modifying/adding this dissector to the code of the dissector that may later call it.

In most cases, no. That's why we do all that dissector-table and heuristic-dissector-list stuff we mentioned to you earlier.

For example, I was looking at packet-gtp.c, and in proto_re_handoff_gtp(), dissector_add() was used to add UDP and if neccessary, TCP. Looking at dissector_add(), it appears that it would call dissector_add_handle() to add GTP as a sub-dissector to UDP and/or TCP. All of this is done only in packet-gtp.c and not in packet-udp.c or packet-tcp.c.

If my reasoning is correct, am I right to say when I add a dissector, I need not modify the codes of the protocol layers below it?

In most cases, yes.

For example in this case, if I were to add the GTP dissector, I only need to specify and add the layers below it (UDP and/or TCP) in its own code.

Yes.

As for protocol layers above it, I would just use call_dissector whenever appropriate?

You would use whatever's appropriate for the dissector. If the protocol layer has a field that you can use to select the next protocol layer, you'd use the routines that look up an unsigned integer or a string in a dissector table, rather than call_dissector(). If more complicated rules to determine what dissector to call are required, you might have to look up the dissectors in question by name and use call_dissector() - which might require that those dissectors be changed to register themselves by name.