Wireshark-dev: Re: [Wireshark-dev] protocol question
f27jx652 wrote:
Do you provide guidelines for development of in-house (private)
protocols/capture filters for use with Ethereal/Wireshark?
The term "capture filter" refers to the filters used when capturing
traffic. Those filters are implemented in libpcap/WinPcap, not in
Wireshark; if you wanted to add additional capabilities to them, you
would have to modify libpcap.
In addition, note that they are implemented using an interpreter for a
simple pseudo-machine-language, so that a filter "program" can be safely
added into the kernel (filtering is done in the kernel on a number of
platforms, so packets that don't match the filter aren't copied to user
space, saving CPU time). Therefore, there are only a limited number of
things that can be tested in a capture filter.
Where can I
add SMS, Wap Push & SMS protocol capturing abilities?
If the traffic in question is going over a link-layer type on which
Wireshark can already capture, there are no capabilities that need to be
added.
If it's going over a link-layer type on which Wireshark can't capture,
that would, again, require changes to libpcap/WinPcap, as packet
capturing in Wireshark is done in libpcap/WinPcap.
Note, however, that packet *capturing* and packet *dissection* are
completely decoupled. Wireshark can dissect packets that it can't
capture (because it can read them from capture files from other
analyzers that can capture traffic on link-layer types on which
libpcap/WinPcap can't capture), and it can capture traffic that it can't
completely dissect (because it doesn't have dissectors for all the
protocol layers in the packet).
Are you trying to add the ability to *capture* that traffic, or
*dissect* it? I think our WAP dissector can already dissect push
traffic; we might have dissectors for at least some protocols used for SMS.
