Wireshark-dev: Re: [Wireshark-dev] Wireshark Dissector
From: suraj mukade <[email protected]>
Date: Wed, 26 Jun 2013 11:46:35 +0530
It means
dissector_add_uint("ethertype", {your ethertype value}, foo_handle); alone should work without any problem.

One more question, Is there any way to prepare sample capture file to test our dissector?
Can we edit/modify any captured file by wireshark?


On Wed, Jun 26, 2013 at 11:31 AM, Guy Harris <[email protected]> wrote:

On Jun 25, 2013, at 9:23 PM, suraj mukade <[email protected]> wrote:

> Thanks for the precise answer. I understood thing dissector_add_uint();
> But I am not clear with dissector table concept.
> Let me explain, My Ethernet frame will have some Ethernet type value (for example "ABCD")which wireshark doesn’t understand.
> So if the frame with Ethernet type value="ABCD" comes how wireshark will know that it has to call my dissector? What is the way to register that value.

Somebody once told you

> you would have your dissector do
>
>          dissector_add_uint("ethertype", {your ethertype value}, {a handle for your dissector});
>
> where {your ethertype value} is the Ethernet type value registered for your protocol and {a handle for your dissector} is, well, a handle for your dissector, created with, for example, register_dissector() or new_register_dissector() or create_dissector_handle() or new_create_dissector_handle().

I would suggest that you listen to him.

> Sorry if I am wrong I am trying to analog it with the call dissector_add("udp.port", global_foo_port, foo_handle);
> where we are requesting Wireshark to call foo_handle on receiving packet on UDP port global_foo_port.
>
> In short is it not sufficient to do similar call as in case of UDP?

No, because we renamed dissector_add() to dissector_add_uint().  It *would* be analogous if you did

        dissector_add_uint("udp.port", global_foo_port, foo_handle);

because what you'd be doing would be

        dissector_add_uint("ethertype", {your ethertype value}, foo_handle);

(the rename was done because some other routines had "port" in their name, but the value isn't necessarily a TCP or UDP port number, it's an arbitrary integral value, and we had some _string routines for registering *string* values in dissector tables, so we renamed the old routines to all have _uint to indicate that the value was an arbitrary unsigned integer value).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe



--
Thank You,



"The only thing in the world we need to fear is fear itself"
Suraj Mukade,
Scientific Officer,
Bhabha Atomic Research Center, Mumbai.