Ethereal-dev: Re: [Ethereal-dev] non-ethernet use of ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 13 Sep 2004 11:23:04 -0700
Ray Rizzuto wrote:
I would like to create a disector that will decode packets that have NO ethernet or IP headers. My disector will decode a proprietary link level, then make use of existing disectors to decode the payload. Is this possible?

Yes. We certainly support link layers other than Ethernet, and support protocols running atop Ethernet - or other link layers - other than IP.

Any hints on where to get started?

For starters, you will have to be able to read some capture file format that encapsulates your packets.

If you're not using an existing capture file format, you will have to add to Wiretap (the library Ethereal, Tethereal, etc. use to read and write capture files; it's in the "wiretap" subdirectory of the source) the ability to read that file format, if it's not a format it already reads.

If your link-layer protocol is the lowest-layer protocol that will be in the capture file, you will need a WTAP_ENCAP value to "wiretap/wtap.h" for that type, and will need to have the code in Wiretap that reads your capture files recognize captures with your protocol and use that encapsulation type. Note that if this is going to be a private version of Ethereal not supplied outside your organization, you can use one of the WTAP_ENCAP_USER{N} types - they were added specifically for this purpose, i.e. private encapsulation types. If you'll be making your changes to Ethereal publicly available, you should add a new WTAP_ENCAP value, and send your changes to us to make them part of the standard Ethereal release.

You will then make your dissector for your protocol register itself as the handler for that WTAP_ENCAP value with a call to "dissector_add()", using "wtap_encap" as the dissector table name and the WTAP_ENCAP value name as the value. See other calls to "dissector_add()" for examples.

If your protocol *isn't* the lowest-layer protocol, you'd have to arrange that your dissector be called by the dissector for the protocol below it. How that'd be done depends on that dissector; it might be possible to have your dissector register itself as the handler for some value.

Your dissector would then have to arrange to call dissectors for the protocol running atop it. We'd have to know how that'd be done - for example, if there's a "protocol type" value in your link-layer protocol, you might have to add a dissector table for that value and modify the other dissectors to register in your table, or, if the table has the same values as some other protocol's protocol type field (e.g., Ethernet types), you might be able to use that protocol's dissector table.