Wireshark-dev: Re: [Wireshark-dev] Using wireshark as decoder / viewer for proprietary protocol
From: Gregory Seidman <gsslist+wireshark@xxxxxxxxxxxxxxxxxx>
Date: Wed, 26 Jan 2011 11:04:43 -0500
On Tue, Jan 25, 2011 at 07:57:15PM +0100, Steffen Dettmer wrote:
> Hi,
> 
> I have a proprietary, stream-oriented transport protocol, typically
> used on serial links, which is difficult to "parse" by hand. The
> protocol has port numbers, flags and sequence numbers (similar as
> TCP). For TCP, wireshark offers lovely ways to view, analyze and
> evaluate traffic. I would like to have the same for my serial
> protocol.
> 
> Is wireshark suited to view, analyze and evaluate such a proprietary
> protocol?

Yes. I've done exactly that.

> I took a look to the documentation and read about dissectors. As far
> as I understand essentially they could be implemented in C, Python or
> Lua, is that right?

I did it in C.

> I'd guess a scripting language is more comfortable to use here, so I
> think I'd try to learn the basics of Python or Lua to write some frame
> decoder. Also, I think a small script file would be easier to pass
> around (w/o requiring to recompile/relink wireshark). Is that true?

You can build dissectors in C as plugins and easily distribute them for use
in stock Wireshark installs.

> Since my protocol usually is not used on top of TCP (but plain serial
> lines), I think I'd start with text2pcap with serial hex dumps, but as
> far as I understood the resulting pcap file is expected to include
> Ethernet frames, so I'd get a difficulty here?

You can use a different encapsulation. I no longer remember exactly what I
did, I'm afraid, but PCAP has some user-defined or reserved or something
encapsulation type that you can set to pass dissection to your dissector in
the Wireshark preferences.

> Any comments appreciated,
> Steffen
--Greg