Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Re : Modifying the ETH dissector

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Thu, 9 Apr 2009 15:12:02 -0400

You want Ethernet information without having the Ethernet tree?  Do you have a different DLT?  I’m not sure I understand what it is you’re trying to do.  Maybe(?) this wiki page will help you: http://wiki.wireshark.org/HowToDissectAnything

 

And yes, if your dissector is going to be a heuristic one, then you’ll need to do a few more things than what my example showed.  I only provided what I thought you would need to call the IP dissector, as that’s not well documented in the various README’s, whereas the heuristic stuff is.

 

Look in epan/packet.[c|h] for heur_dissector_add and friends.

 

- Chris

 

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of yvanmmailbox-web@xxxxxxxx
Sent: Wednesday, April 08, 2009 3:34 AM
To: Developer support list for Wireshark
Subject: [Wireshark-dev] Re : Modifying the ETH dissector

 

Hi,

Thanks a lot for this information. I hadn't the README.heuristic, and I haven't understood the role of pinfo;I'll use it for sure. Is it possible to have Ethernet information without having the Ethernet tree in my structure, with a heuristic dissector?
In the proto_reg_handoff_PROTOABBREV(void) function, I suppose I have to add to your example the heur_dissector_add(); but is there any order between the two functions? -->In which file can I found information about thes functions (heur_dissector_add, dissector_add, new_create_dissector_handle...)?

Thank you!

Yvan

 

 


De : "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
À : Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Envoyé le : Lundi, 6 Avril 2009, 23h24mn 33s
Objet : Re: [Wireshark-dev] Modifying the ETH dissector

First, you might try reading through the documentation.  README.developer and README.heuristic ought to provide you with just about all the information you need to get you started.

 

But to answer your questions:

1) Yes, your plugin will change slightly going from a normal dissector to a heuristic one.  The README’s should explain all of this.

 

2) You can fetch the Ethernet MAC address from pinfo.  See epan/packet_info.h.

 

3) The Ethernet dissector will hand off the packet to your dissector starting with the payload.  In other words, your dissector will not get the 1st 14 bytes of packet, which is the Ethernet header.  It is then up to your dissector to try to figure out, heuristically, whether or not the payload is actually yours or not to dissect.  If it isn’t, return FALSE; if it is, dissect the packet accordingly and return TRUE.  If you need the Ethernet header information to help determine if it’s yours or not, then you can get all of it from pinfo.  Assuming it’s your data, you should end up with a tree structure such as:

+ Frame 1 (xx bytes on wire, yy bytes captured)

+ Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: yy:yy:yy:yy:yy:yy

+ Your protocol, Your protocol-specific summary information

 

So, I’m not exactly sure what you meant by “may I reuse the Eth packet analysis”, but you can certainly get the Ethernet related information via pinfo if you need it, and if you were wondering whether you need to handle dissection of the Ethernet header or not, you don’t.  Your dissector will only need to populate that last tree.

 

4) When you’re done dissecting your protocol’s data and assuming you know the rest is IP, simply call “call_dissector(ip_handle)”. E.g., this pseudo-code should give you an idea:

 

static dissector_handle_t ip_handle;

 

static gboolean

dissect_PROTOABBREV(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)

{

    tvbuff_t *next_tvb;

    proto_tree *your_tree;

 

    handle_heuristics();

    dissect_your_stuff();

 

    /* Assuming the rest of the payload is IPv4, create a new tvb subset and

     * pass it to the IP dissector.

     *     Offset is the offset into your payload where IPv4 data begins.

     *     len is the length of the IP data.

     */

    next_tvb = tvb_new_subset(tvb, offset, len, len);

    call_dissector(ip_handle, next_tvb, pinfo, your_tree);

}

 

void

proto_reg_handoff_PROTOABBREV(void)

{

    ip_handle = find_dissector("ip");

}

 

- Chris

 

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of yvanmmailbox-web@xxxxxxxx
Sent: Monday, April 06, 2009 6:15 AM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] Modifying the ETH dissector

 

Hi all,

I'm beginner in Wireshark plugin development.
As Valentin said in a previous mail (http://www.wireshark.org/lists/wireshark-dev/200803/msg00285.html), I also need to develop an AFDX plugin. I am interested in the solution explained in this URL, to add a heuristic dissector, but I have some questions:

Does using a heuristic dissector suppose I don't need to modify the ETH dissector, and only create my own one as a plugin? In this case, where do I add the line "heur_dissector_add(“eth”, dissect_afdx, proto_afdx);" ?=> Does the structure of my plugin change with this kind of call?

How can I fetch the MAC address from data inside the ETH, to scan it?

May I reuse the ETH packet analysis (length, type of protocol encapsulated, trailer...) automatically?

What must I do in my plugin in order to use the IP plugin after? (i.e. I wish to have frame:afdx:ip:udp:other)

Thanks a lot for your answers!

Yvan

 

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.

 

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.