Hi Alex, The plugin you attached is meant to open filetypes different than pcap, right? I don't understand how to use this knowledge with my problem. I'm using a pcap file, thing is I want wireshark to dissect a protocol in the link layer which is not included in wireshark. Armando Vázquez Ramírez
On Mon, Mar 5, 2012 at 9:11 AM, Alex Lindberg <[email protected]> wrote: > I needed to read a unsupported file structure and protocol into > Wireshark. I did this by creating a plugin that registered the necessary > routines to read a file and determine if the file was the one I needed. > > 1st - register with wtap: > > /* register with wtap */ > void wtap_register_mst(void) { > static struct file_type_info fi = { > "My PROTOCOL File", /* name */ > "mst_file", /* short name */ > "*.*", /* file extensions */ > NULL, /* file extension default */ > FALSE, /* writing seek must */ > FALSE, /* has name resolution */ > NULL, /* can write this type of file encap? */ > NULL /* function to open for writing */ > }; > wtap_register_open_routine(myproto_open, TRUE); > encap_mst_file = wtap_register_encap_type("My PROTOCOL FILE", > "myproto_file"); > wf_myproto_file = wtap_register_file_type(&fi); > } > > As you see, you need a open routine (myproto_open). The open routine > determines of the file is of the flavor you are looking for, if so it > created a file structure used by Wireshark. > > int myproto_open(wtap *wth, int *err, gchar **err_info _U_) { > /* open routine. First determine if it is a myproto file. */ > /* The open_file_* routines should return: > -1 on an I/O error; > 1 if the file they're reading is one of the types it handles; > 0 if the file they're reading isn't the type they're checking for. > If the routine handles this type of file, it should set the "file_type" > field in the "struct wtap" to the type of the file. */ > if (!(myproto_check_file(wth, err))) { > if (*err == 0) { > return 0; > } > else { > return -1; > } > } > > /* point to 1st line */ > if(file_seek(wth->fh,0, SEEK_SET, err) == -1) { > return -1; > } > > wth->data_offset = 0; > wth->file_encap = WTAP_ENCAP_USER15; /* encap type to use if save as > pcap file */ > wth->file_type = WTAP_ENCAP_USER15; > wth->subtype_read = myproto_read; /* routines to go for reading and > seeking */ > wth->subtype_seek_read = myproto_seek_read; > wth->snapshot_length = 0; /* not known */ > wth->tsprecision = WTAP_FILE_TSPREC_CSEC; > > return 1; > } > > As an FYI, to get the plungin's wtap routines to register, I had to modify > the local Makefile.am for plugin.c to look for the wtap register routine > (only for the Python build which I am using) > > plugin.c: $(DISSECTOR_SRC) $(top_srcdir)/tools/make-dissector-reg \ > $(top_srcdir)/tools/make-dissector-reg.py > @if test -n "$(PYTHON)"; then \ > echo Making plugin.c with python ; \ > $(PYTHON) $(top_srcdir)/tools/make-dissector-reg.py $(srcdir) \ > plugin_wtap $(DISSECTOR_SRC) ; \ > else \ > echo Making plugin.c with shell script ; \ > $(top_srcdir)/tools/make-dissector-reg $(srcdir) \ > $(plugin_src) plugin_wtap $(DISSECTOR_SRC) ; \ > fi > > Examples of these functions can be found in the wiretap directory. Best > of luck > > Alex Lindberg > > --- On *Sat, 3/3/12, ashish goel <[email protected]>* wrote: > > > From: ashish goel <[email protected]> > Subject: Re: [Wireshark-dev] How can I register a link layer protocol? > To: "Developer support list for Wireshark" <[email protected]> > Date: Saturday, March 3, 2012, 12:30 PM > > > Hi Armando, > > Have you checked if your protocol is registered or not. One way to check > this is to type your protocol's name in Wireshark's Display Filter textbox, > the textbox's background should turn green. > If your protocol is registered and it is not showing as valid protocol > while adding to DLT_User encapsulation table then DLT_user file might have > been corrupted. > Try creating a new workspace and implement your changes into that. It > should work. > > 2012/3/3 Armando Vázquez > <[email protected]<http://mc/[email protected]> > > > > Thanks ashis! > > When I tried this my protocol does not show up as a valid protocol, why is > that? I tried using my dissector for the header protocol, but it should > also disscet 2 trailer bytes, does that represent a problem ? What should I > put in the header size field? > > Besides, I've read that using the GUI and editing the DLT_User is the same > as using the function dissector_add_uint(), am I right? If so, why isn't > working? should I change something else in pcap-common.c or wtap.c or > wtap.h? > > > Armando Vázquez Ramírez > > > > On Sat, Mar 3, 2012 at 6:27 AM, ashish goel > <[email protected]<http://mc/[email protected]> > > wrote: > > Hi Armando, > > The is a way you can do it through wireshark GUI. Go to preferences -> > protocols -> DLT_User. Here click on edit and add your protocol on any of > the User DLTs(147 - 162). But make sure that that the pcap file you are > using must have defined the same DLT value in its global header. > > Hope this helps. > > Thanks, > Ashish > 2012/3/2 Armando Vázquez > <[email protected]<http://mc/[email protected]> > > > > Hi guys, > > I've read the developers guide, README.developer, wiretap plugin wiki and > found no answer. Here is my problem. I'm trying to use Wireshark for > dissecting a pcap capture of a protocol that it's not currently defined in > wireshark. So I started writing a plugin, but I haven't been able to > declare or register this dissector so it is enabled as a link layer > dissector. I need to achieve this because this is not a internet protocol, > so I need to identify it in this layer. > > I've already read this dev-topic ( > http://www.mail-archive.com/[email protected]/msg05931.html) > but I didn't understand it well. > > The dissection part works fine, I've tested it using a pcap and nesting it > on top of TCP. I would really appreciate your help. > > Also I've added in wtap.h > > #define WTAP_ENCAP_MYPROTOCOL 147 > > and in wtap.c > > static struct encap_type_info encap_table_base[] = { > ... > { "RESERVED 138", "res0" }, > { "RESERVED 139", "res1" }, > { "RESERVED 140", "res2" }, > { "RESERVED 141", "res3" }, > { "RESERVED 142", "res4" }, > { "RESERVED 143", "res5" }, > { "RESERVED 144", "res6" }, > { "RESERVED 145", "res7" }, > { "RESERVED 146", "res8" }, > > /* WTAP_ENCAP_MYPROTOCOL*/ > { "MY PROTOCOL, "myprotocol" } > }; > > Here are the register and handoff sections of my code > > > ---------------------------------------------------------------------------------- > void proto_register_myprotocol (void) > { > ... > > myprotocol_dissector_table = > register_dissector_table("myprotocol.proto","ACN protocol number", > FT_UINT8, BASE_HEX); > proto_register_field_array (proto_myprotocol, hf, array_length (hf)); > proto_register_subtree_array (ett, array_length (ett)); > register_dissector("myprotocol", dissect_myprotocol, proto_myprotocol); > } > > void proto_reg_handoff_myprotocol(void) > { > > data_handle = find_dissector("data"); > myprotocol_handle = create_dissector_handle(dissect_myprotocol, > proto_myprotocol); > > dissector_add_uint("wtap_encap", WTAP_ENCAP_MYPROTOCOL, myprotocol_handle); > dissector_add_uint("tcp.port", global_myprotocol_port, myprotocol_handle); > // Registering this on top of TCP was only to develop the dissection part, > this won't be present in the release version > > > } > > > ---------------------------------------------------------------------------------- > > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended recipient, > > please notify the sender immediately and delete it from your system. > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list > <[email protected]<http://mc/[email protected]> > > > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > > mailto:[email protected]<http://mc/[email protected]> > ?subject=unsubscribe > > > > > -- > Thanks, > Ashish > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list > <[email protected]<http://mc/[email protected]> > > > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > > mailto:[email protected]<http://mc/[email protected]> > ?subject=unsubscribe > > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list > <[email protected]<http://mc/[email protected]> > > > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > > mailto:[email protected]<http://mc/[email protected]> > ?subject=unsubscribe > > > > > -- > Thanks, > Ashish > > > -----Inline Attachment Follows----- > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list > <[email protected]<http://mc/[email protected]> > > > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > > mailto:[email protected]<http://mc/[email protected]> > ?subject=unsubscribe > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
