Wireshark-dev: [Wireshark-dev] Dissecting protocol running under UDP
From: Beth <[email protected]>
Date: Mon, 12 Oct 2009 12:29:48 -0400

I am working with a plugin dissector that handles a protocol running under IEEE 802.15.4.  The source code for this dissector (written by someone else) combines the 802.15.4 dissection with the other protocol.  I am attempting to split the existing plugin into a separate plugin for the other protocol, and use it with the Wireshark builtin 802.15.4 dissector instead of the homegrown one.

Here is the hitch I have encountered:  The sniffer I was given encapsulates the 802.15.4 packets as UDP payloads.  The plugin I'm working on adds itself to the "udp.port" dissector list for the appropriate port#, but the builtin 802.15.4 dissector only adds itself to "ethertype".

Can someone advise me on the best way to proceed from here?  I see the following options:

1. Give up on using the builtin 802.15.4 dissector, just keep using the one I have.

2. Modify the builtin dissector so that it adds itself to "udp.port" instead of "ethertype".  (Which means I will no longer be able to distribute just the plugins to other users of this protocol; they will need the modified Wireshark build as well.)

3. Find a way to modify the builtin dissector so that it works for this sniffer *without* affecting how it works for everyone else, and submit the patch for approval.  (Would only do this if it were likely that others might need a similar feature.)

I have no experience with sniffers other than this one (and don't know much about this one either), is it common to represent wireless packets as payloads of another network layer?