Wireshark-dev: Re: [Wireshark-dev] Wireshark Dissector
From: Guy Harris <[email protected]>
Date: Tue, 25 Jun 2013 23:01:32 -0700
On Jun 25, 2013, at 9:23 PM, suraj mukade <[email protected]> wrote:

> Thanks for the precise answer. I understood thing dissector_add_uint();
> But I am not clear with dissector table concept. 
> Let me explain, My Ethernet frame will have some Ethernet type value (for example "ABCD")which wireshark doesn’t understand.
> So if the frame with Ethernet type value="ABCD" comes how wireshark will know that it has to call my dissector? What is the way to register that value.

Somebody once told you

> you would have your dissector do
>          dissector_add_uint("ethertype", {your ethertype value}, {a handle for your dissector});
> where {your ethertype value} is the Ethernet type value registered for your protocol and {a handle for your dissector} is, well, a handle for your dissector, created with, for example, register_dissector() or new_register_dissector() or create_dissector_handle() or new_create_dissector_handle().

I would suggest that you listen to him.

> Sorry if I am wrong I am trying to analog it with the call dissector_add("udp.port", global_foo_port, foo_handle);
> where we are requesting Wireshark to call foo_handle on receiving packet on UDP port global_foo_port.
> In short is it not sufficient to do similar call as in case of UDP?

No, because we renamed dissector_add() to dissector_add_uint().  It *would* be analogous if you did

	dissector_add_uint("udp.port", global_foo_port, foo_handle);

because what you'd be doing would be

	dissector_add_uint("ethertype", {your ethertype value}, foo_handle);

(the rename was done because some other routines had "port" in their name, but the value isn't necessarily a TCP or UDP port number, it's an arbitrary integral value, and we had some _string routines for registering *string* values in dissector tables, so we renamed the old routines to all have _uint to indicate that the value was an arbitrary unsigned integer value).