>On Tue, Dec 11, 2007 at 01:09:21PM -0800, Benn
Bollay wrote:
>> I'm trying to write a dissector for ethernet
trailers. It seems like
>> the ideal way would be to hook the
existing ethernet dissector and
>> have it call my dissector, however I
can't figure out any way of doing
>> this on the existence of the
trailer that doesn't require manipulating
>> packet-eth.c (I was hoping
for a plugin). I was looking at doing this
>> as a postdissector,
but then I would have to parse the relevent
>> headers to determine
where the end of the "proper" packet lay, which
>> seemed like a lot of
unnecessary duplicate work.
>
>
The Ethernet dissector already handles the display of Ethernet
trailers
> when it can guess that
they are present based on comparing the size of
> the packet to the minimum packet size of
Ethernet. The current
>
functionality highlights the trailer bytes when selecting the
Ethernet
> dissector and displays
them under the Ethernet dissector's tree. Is
> there something more you're looking to
do?
I think it does a little more then that, since it
correctly identifies the location of trailers even on full MTU sized packets it
must therefor have some idea where the IP packet ends. The actual use case
involves some data I'm throwing in the trailer for internal testing, and I'd
like to dissect it within wireshark itself. We have a modified tcpdump
that does this behavior, but I'd love to have a plugin for
wireshark.
Cheers,
--Benn
