Wireshark-bugs: [Wireshark-bugs] [Bug 4805] Dissectors for data link types
Date: Sat, 29 May 2010 15:39:49 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4805

--- Comment #2 from Guy Harris <guy@xxxxxxxxxxxx> 2010-05-29 15:39:47 PDT ---
The current Ethernet dissector dissects packets as if they have a 6-octet
destination address, followed by a 6-octet source address, followed by a
2-octet type/length field.  In your example, you say that the proprietary
protocol has "a specific (proprietary) ether-type", so, presumably, the packets
with that protocol have the same 2-octet type/length that other Ethernet
packets do, and the only reason to dissect the packets differently from any
other Ethernet packets would be if you wanted to dissect the destination or
source address differently.  Otherwise, you could just create a dissector for
your protocol and have it register itself in the "ethertype" dissector table
with its proprietary Ethertype.

If you really need to do that, at least in the 1.3.x (development) version of
Wireshark, you could add a heuristic dissector to the "eth" heuristic dissector
table; that dissector would have to check for the ethertype itself, and dissect
the entire Ethernet header itself.

If you're adding a *new* data link type, you would have to modify the Wiretap
library code to create a new WTAP_ENCAP_ value for that new data link type and
to return that type for packets of that type (see my response to your bug about
LAPV5), write a dissector for it the same way you'd write a dissector for any
other protocol, and register it in the "wtap_encap" dissector table using the
new WTAP_ENCAP_ value; that's already supported by Wireshark.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.