First, you might try reading through the documentation. README.developer and
README.heuristic ought to provide you with just about all the information you
need to get you started.
But to answer your questions:
1) Yes, your plugin will change slightly going from a normal dissector to a
heuristic one. The README’s should explain all of this.
2) You can fetch the Ethernet MAC address from pinfo. See epan/packet_info.h.
3) The Ethernet dissector will hand off the packet to your dissector starting
with the payload. In other words, your dissector will not get the 1st 14 bytes
of packet, which is the Ethernet header. It is then up to your dissector to
try to figure out, heuristically, whether or not the payload is actually yours
or not to dissect. If it isn’t, return FALSE; if it is, dissect the packet
accordingly and return TRUE. If you need the Ethernet header information to
help determine if it’s yours or not, then you can get all of it from pinfo.
Assuming it’s your data, you should end up with a tree structure such as:
+ Frame 1 (xx bytes on wire, yy bytes captured)
+ Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: yy:yy:yy:yy:yy:yy
+ Your protocol, Your protocol-specific summary information
So, I’m not exactly sure what you meant by “may I reuse the Eth packet
analysis”, but you can certainly get the Ethernet related information via pinfo
if you need it, and if you were wondering whether you need to handle dissection
of the Ethernet header or not, you don’t. Your dissector will only need to
populate that last tree.
4) When you’re done dissecting your protocol’s data and assuming you know the
rest is IP, simply call “call_dissector(ip_handle)”. E.g., this pseudo-code
should give you an idea:
static dissector_handle_t ip_handle;
static gboolean
dissect_PROTOABBREV(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
tvbuff_t *next_tvb;
proto_tree *your_tree;
handle_heuristics();
dissect_your_stuff();
/* Assuming the rest of the payload is IPv4, create a new tvb subset and
* pass it to the IP dissector.
* Offset is the offset into your payload where IPv4 data begins.
* len is the length of the IP data.
*/
next_tvb = tvb_new_subset(tvb, offset, len, len);
call_dissector(ip_handle, next_tvb, pinfo, your_tree);
}
void
proto_reg_handoff_PROTOABBREV(void)
{
ip_handle = find_dissector("ip");
}
- Chris
From: [email protected]
[mailto:[email protected]] On Behalf Of
[email protected]
Sent: Monday, April 06, 2009 6:15 AM
To: [email protected]
Subject: [Wireshark-dev] Modifying the ETH dissector
Hi all,
I'm beginner in Wireshark plugin development.
As Valentin said in a previous mail
(http://www.wireshark.org/lists/wireshark-dev/200803/msg00285.html), I also
need to develop an AFDX plugin. I am interested in the solution explained in
this URL, to add a heuristic dissector, but I have some questions:
Does using a heuristic dissector suppose I don't need to modify the ETH
dissector, and only create my own one as a plugin? In this case, where do I add
the line "heur_dissector_add(“eth”, dissect_afdx, proto_afdx);" ?=> Does the
structure of my plugin change with this kind of call?
How can I fetch the MAC address from data inside the ETH, to scan it?
May I reuse the ETH packet analysis (length, type of protocol encapsulated,
trailer...) automatically?
What must I do in my plugin in order to use the IP plugin after? (i.e. I wish
to have frame:afdx:ip:udp:other)
Thanks a lot for your answers!
Yvan
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
