Wireshark-dev: [Wireshark-dev] Dissecting protocol running under UDP
From: Beth <[email protected]>
Date: Mon, 12 Oct 2009 12:29:48 -0400

I am working with a plugin dissector that handles a protocol running under IEEE 802.15.4.  The source code for this dissector (written by someone else) combines the 802.15.4 dissection with the other protocol.  I am attempting to split the existing plugin into a separate plugin for the other protocol, and use it with the Wireshark builtin 802.15.4 dissector instead of the homegrown one.

Here is the hitch I have encountered:  The sniffer I was given encapsulates the 802.15.4 packets as UDP payloads.  The plugin I'm working on adds itself to the "udp.port" dissector list for the appropriate port#, but the builtin 802.15.4 dissector only adds itself to "ethertype".

Can someone advise me on the best way to proceed from here?  I see the following options:

1. Give up on using the builtin 802.15.4 dissector, just keep using the one I have.

2. Modify the builtin dissector so that it adds itself to "udp.port" instead of "ethertype".  (Which means I will no longer be able to distribute just the plugins to other users of this protocol; they will need the modified Wireshark build as well.)

3. Find a way to modify the builtin dissector so that it works for this sniffer *without* affecting how it works for everyone else, and submit the patch for approval.  (Would only do this if it were likely that others might need a similar feature.)

I have no experience with sniffers other than this one (and don't know much about this one either), is it common to represent wireless packets as payloads of another network layer?

Thanks,
b.