Wireshark-dev: Re: [Wireshark-dev] Dissecting protocol running under UDP
From: Jeff Morriss <[email protected]>
Date: Mon, 12 Oct 2009 13:20:41 -0400
Beth wrote:
I am working with a plugin dissector that handles a protocol running 
under IEEE 802.15.4.  The source code for this dissector (written by 
someone else) combines the 802.15.4 dissection with the other protocol.  
I am attempting to split the existing plugin into a separate plugin for 
the other protocol, and use it with the Wireshark builtin 802.15.4 
dissector instead of the homegrown one.
Here is the hitch I have encountered:  The sniffer I was given 
encapsulates the 802.15.4 packets as UDP payloads.  The plugin I'm 
working on adds itself to the "udp.port" dissector list for the 
appropriate port#, but the builtin 802.15.4 dissector only adds itself 
to "ethertype".
Can someone advise me on the best way to proceed from here?  I see the 
following options:
1. Give up on using the builtin 802.15.4 dissector, just keep using the 
one I have.
2. Modify the builtin dissector so that it adds itself to "udp.port" 
instead of "ethertype".  (Which means I will no longer be able to 
distribute just the plugins to other users of this protocol; they will 
need the modified Wireshark build as well.)
3. Find a way to modify the builtin dissector so that it works for this 
sniffer *without* affecting how it works for everyone else, and submit 
the patch for approval.  (Would only do this if it were likely that 
others might need a similar feature.)
4. Write another dissector that registers for the appropriate "udp.port" 
and calls find_dissector("wpan") (or "wpan-nofcs" or one of the other 
names for that dissector) to get a handle to the 802.15.4 dissector. 
When this dissector is handed packets it can pass the appropriate part 
of the payload to the built-in 802.15.4 dissector.
For a simple example of that, look at packet-mtp2.c who dissects MTP2 
headers before passing the remaining payload to the MTP3 dissector.