Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Dissecting protocol running under UDP

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Mon, 12 Oct 2009 13:20:41 -0400
Beth wrote:

I am working with a plugin dissector that handles a protocol running under IEEE 802.15.4. The source code for this dissector (written by someone else) combines the 802.15.4 dissection with the other protocol. I am attempting to split the existing plugin into a separate plugin for the other protocol, and use it with the Wireshark builtin 802.15.4 dissector instead of the homegrown one.

Here is the hitch I have encountered: The sniffer I was given encapsulates the 802.15.4 packets as UDP payloads. The plugin I'm working on adds itself to the "udp.port" dissector list for the appropriate port#, but the builtin 802.15.4 dissector only adds itself to "ethertype".

Can someone advise me on the best way to proceed from here? I see the following options:

1. Give up on using the builtin 802.15.4 dissector, just keep using the one I have.

2. Modify the builtin dissector so that it adds itself to "udp.port" instead of "ethertype". (Which means I will no longer be able to distribute just the plugins to other users of this protocol; they will need the modified Wireshark build as well.)

3. Find a way to modify the builtin dissector so that it works for this sniffer *without* affecting how it works for everyone else, and submit the patch for approval. (Would only do this if it were likely that others might need a similar feature.)

4. Write another dissector that registers for the appropriate "udp.port" and calls find_dissector("wpan") (or "wpan-nofcs" or one of the other names for that dissector) to get a handle to the 802.15.4 dissector. When this dissector is handed packets it can pass the appropriate part of the payload to the built-in 802.15.4 dissector.

For a simple example of that, look at packet-mtp2.c who dissects MTP2 headers before passing the remaining payload to the MTP3 dissector.