Wireshark-dev: [Wireshark-dev] Plugin development on Windows...
From: "Tobias Erichsen" <erichsen@xxxxxxxxxxxxx>
Date: Sun, 1 Oct 2006 12:06:54 +0200
Well I guess that coding a plugin (especially if the protocol is not too
complex) will be not that hard.

What I find rather complex to set up the environement to be able to compile
a plugin at all...

Do I need to compile Wireshark first to be able to compile plugins-dlls?
What kind of additional libraries & include-files do I need on top of
the etheral-source to be able to compile my own-plugin dll?

I would guess that quite a few more protocol dissectors/plugins would
be written if this process would be a bit easier.  I guess a lot of
people are just repelled by how much they must do first, just to dissect
a couple of octets and display their content in legible form...

Tobias



 

> -----Ursprüngliche Nachricht-----
> Von: wireshark-dev-bounces@xxxxxxxxxxxxx 
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] Im Auftrag von 
> Jaap Keuter
> Gesendet: Sonntag, 1. Oktober 2006 07:48
> An: Developer support list for Wireshark
> Betreff: Re: [Wireshark-dev] Question concerning some 
> specific protocol... [heur]
> 
> Hi,
> 
> Ahhh, now it's getting simple. Just create a heuristic 
> dissector for your proprietary protocol. It DOES work by 
> recognition of (part of) content.
> For RTP you'll have to enable the preference "Try to decode 
> RTP outside of conversations". You can look in the RTP 
> dissector how it's done and use that same method in your own 
> dissector.
> 
> Thanx,
> Jaap
> 
> On Sat, 30 Sep 2006, Tobias Erichsen wrote:
> 
> > The problem is that the port is not fix - the protocol(s) 
> may run on 
> > any ports.
> >
> > Are protocols that are recognized automatically by Wireshark always 
> > recognized by the port, not be the content of the datagrams?
> >
> > I know that I can go on a sniffed packet and say "decode 
> as" selecting 
> > the protocol manually, but it would be cool to let wireshark/my 
> > protocol plugin find it out automatically if it finds any 
> packets that 
> > are encoded according to the proprietary protocol and as 
> soon as this 
> > fact ist established, all packets for this udp-port-tuple will be 
> > decoded by my plugin, even though some of the packets won't 
> match the 
> > proprietary signature (in this case I would know that it is 
> RTP-data 
> > and decode accordingly)
> >
> > Tobias
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: wireshark-dev-bounces@xxxxxxxxxxxxx
> > > [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] Im Auftrag von Jaap 
> > > Keuter
> > > Gesendet: Samstag, 30. September 2006 17:53
> > > An: Developer support list for Wireshark
> > > Betreff: Re: [Wireshark-dev] Question concerning some specific 
> > > protocol... [heur]
> > >
> > > Hi,
> > >
> > > Well that is simple then. Register your proprietary dissector for 
> > > the UDP port. If it's your protocol dissect it, otherwise hand it 
> > > over to the RTP dissector.
> > >
> > > Thanx,
> > > Jaap
> > >
> > > On Sat, 30 Sep 2006, Tobias Erichsen wrote:
> > >
> > > > Hi everyone,
> > > >
> > > > I have used Ethereal/Wireshark for some time now, and I
> > > would like to
> > > > contribute by developing a protocol-plugin for a 
> combination of a 
> > > > proprietary and an open protocol based on RTP...
> > > >
> > > > Both protocols run on the sample UDP port-pair tuple. The
> > > proprietary
> > > > protocol can be detected very easy, as it has an easy to
> > > distinguish
> > > > signature.  The RTP-based part is not, as RTP has 
> really no good 
> > > > recognition value.
> > > >
> > > > So how would I design such a dissector, that if I detect
> > > the easy-to-
> > > > recognize proprietary protocol on a UDP-port-tuple, that I
> > > could then
> > > > heuristically see that the other datagrams will be the
> > > RTP-based ones
> > > > and hand their decoding appropriate (writing again my own 
> > > > dissector for this specific RTP payload type)
> > > >
> > > > Best regards,
> > > > Tobias
> > > >
> > > > PS.: I will be developing & testing the stuff on 
> Windows-platform, 
> > > > cause that's what I'm most familiar with ;-)
> > > >
> > >
> > > _______________________________________________
> > > Wireshark-dev mailing list
> > > Wireshark-dev@xxxxxxxxxxxxx
> > > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> > >
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
> >
> 
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>