Wireshark-dev: [Wireshark-dev] How to best register dissector for ethernet encapsulated packet
From: "Leonard Tracy (letracy)" <[email protected]>
Date: Thu, 14 Jul 2011 11:19:15 -0700


Hi All,


I’m working on finishing up development of a dissector.  The protocol uses an Ethernet in Ethernet encapsulation format where the outer header uses hierarchical source and destination mac addresses, there is then a special ethertype and some info in a TAG (DTAG).   If I only register the ethertype, then the Ethernet dissector will process the other source and destination address and only the tag will get passed to my dissector.  I would like my dissector to process the source and destination address, the tag and then pass the original Ethernet frame to the Ethernet dissector. 


I was able to accomplish this using a heuristic dissector, but this seems to present an unnecessary overhead on the system.  I’m wondering if there’s a more efficient way of accomplishing the above (having my dissector run on both the Ethernet header and tag based on the ethertype in the packet).