Wireshark-dev: Re: [Wireshark-dev] Wireshark APIs for display
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Sat, 10 Mar 2007 06:42:24 +0100 (CET)
Hi,

I've seen it been done. It was based on a message decoder that passed back
a data structure of the message. Then there was a whole bunch of wireshark
code to display all the structure members. Varying messages had varying
structures so it ended up being a whole lot of proto_tree_add_*_format()
calls. Pointing to the relevant bytes from the decoded message can be
very hard as well.
It worked, when the messages were oke. Once a message error was received
the decoder returned FAIL, and there was nothing to display, rendering the
dissector useless for faultfinding.
So it's possible, but not a usefull solution if your parser can't handle
message errors.

Thanx,
Jaap

On Fri, 9 Mar 2007, Guy Harris wrote:

>
> On Mar 9, 2007, at 1:51 PM, MKS {} wrote:
>
> > I have a protocol decode libraray for a protocol I have written in
> > C. This parses the packet stream and decodes packets.
> >
> > I wanted to use the UI and packet capture capabilities of Wireshark
> > to capture packes and display the messages. I wasn't interested in
> > the wireshark API's for parsing the data. Has anyone done this before?
>
> Probably not, given that libwireshark is designed to, well, support
> Wireshark, which is a network analyzer, and, well, decodes packets.
>
> I would *VERY STRONGLY* suggest that if you want to use Wireshark to
> parse your protocol, you write a Wireshark-style protocol decoder for
> it, rather than trying to stuff into Wireshark a protocol decode
> library whose decoders don't work the way Wireshark decoders do.
>
> I.e., the code to display decoded packets in Wireshark assumes a
> Wireshark protocol tree was built, so all protocol decoders for
> Wireshark have to build a protocol tree.
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>