First, you might try reading through the documentation. README.developer
and README.heuristic ought to provide you with just about all the information
you need to get you started.
But to answer your questions:
1) Yes, your plugin will change slightly going from a normal
dissector to a heuristic one. The README’s should explain all of this.
2) You can fetch the Ethernet MAC address from pinfo. See
epan/packet_info.h.
3) The Ethernet dissector will hand off the packet to your
dissector starting with the payload. In other words, your dissector will not
get the 1st 14 bytes of packet, which is the Ethernet header. It is
then up to your dissector to try to figure out, heuristically, whether or not
the payload is actually yours or not to dissect. If it isn’t, return FALSE; if
it is, dissect the packet accordingly and return TRUE. If you need the Ethernet
header information to help determine if it’s yours or not, then you can get all
of it from pinfo. Assuming it’s your data, you should end up with a tree structure
such as:
+ Frame 1 (xx bytes on wire, yy bytes captured)
+ Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: yy:yy:yy:yy:yy:yy
+ Your protocol, Your protocol-specific summary information
So, I’m not exactly sure what you meant by “may I reuse the Eth
packet analysis”, but you can certainly get the Ethernet related information via
pinfo if you need it, and if you were wondering whether you need to handle
dissection of the Ethernet header or not, you don’t. Your dissector will only
need to populate that last tree.
4) When you’re done dissecting your protocol’s data and assuming
you know the rest is IP, simply call “call_dissector(ip_handle)”. E.g., this
pseudo-code should give you an idea:
static dissector_handle_t ip_handle;
static gboolean
dissect_PROTOABBREV(tvbuff_t *tvb, packet_info *pinfo, proto_tree
*tree)
{
tvbuff_t *next_tvb;
proto_tree *your_tree;
handle_heuristics();
dissect_your_stuff();
/* Assuming the rest of the payload is IPv4, create a new tvb
subset and
* pass it to the IP dissector.
* Offset is the offset into your payload where IPv4 data
begins.
* len is the length of the IP data.
*/
next_tvb = tvb_new_subset(tvb, offset, len, len);
call_dissector(ip_handle, next_tvb, pinfo, your_tree);
}
void
proto_reg_handoff_PROTOABBREV(void)
{
ip_handle = find_dissector("ip");
}
- Chris
From:
wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of yvanmmailbox-web@xxxxxxxx
Sent: Monday, April 06, 2009 6:15 AM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] Modifying the ETH dissector
Hi
all,
I'm beginner in Wireshark plugin development.
As Valentin said in a previous mail (http://www.wireshark.org/lists/wireshark-dev/200803/msg00285.html),
I also need to develop an AFDX plugin. I am interested in the solution
explained in this URL, to add a heuristic dissector, but I have some questions:
Does using a heuristic dissector suppose I don't need to modify the ETH
dissector, and only create my own one as a plugin? In this case, where do I add
the line "heur_dissector_add(“eth”, dissect_afdx, proto_afdx);"
?=> Does the structure of my plugin change with this kind of call?
How can I fetch the MAC address from data inside the ETH, to scan it?
May I reuse the ETH packet analysis (length, type of protocol encapsulated,
trailer...) automatically?
What must I do in my plugin in order to use the IP plugin after? (i.e. I wish
to have frame:afdx:ip:udp:other)
Thanks a lot for your answers!
Yvan
