0
votes

I have to write one wireshark Dissector as a plugin for a protocol. I've one captured file having hexadecimal Bytes code input that is to be dissected through my Dissector/plugin .

How to do it ?
I've built one basic wireshark plugin as per

https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html

and doc/README.plugins

so I know the basic steps to build the wireshark plugin (custom extension). But i don't know where to put that file to analyze and what are all the function needed to write in my packet-dissector.c ?
Any suggestions ?
Thanks.

3

3 Answers

2
votes

There's a third-party plugin, the Wireshark Generic Dissector, which lets you dissect protocols without writing any code. Binary versions of the plugin are available for Windows and at least some Linux distributions; source is available so that you can compile it for other platforms. You might want to see whether that would make it easier.

1
votes

There are a lot of packet-xxx.c files in the epan tree. Depending on the base protocol (UDP/TCP/other) select one of the protocol dissectors and look what have been used to dissect the protocol. This should be a good template for your dissector.

Further you should consider that a dissector can be sophisticated showing a lot of details, flow analysis, protocol violation indication, and so on. What is really required depends on the expectation to the dissector and can't be answered in general.

0
votes

If it's being created as plugin, add a new directory for your protocol in plugins folder . Add needed files (makefile.am , cmakefile.txt , etc and your .c) in this directory. Change the makefiles to compile and create dll for your new dissector. Look for gryphon plugin example and make similar changes for your dissector.

This should create the "yourproto.dll" in run directory , which means wireshark is ready to recognize your protocol.