Wireshark mailing list archives

Re: Using wireshark as decoder / viewer for proprietary protocols?

From: Gregory Seidman <gsslist+wireshark () anthropohedron net>
Date: Wed, 26 Jan 2011 11:04:43 -0500

On Tue, Jan 25, 2011 at 07:57:15PM +0100, Steffen Dettmer wrote:

Hi,

I have a proprietary, stream-oriented transport protocol, typically
used on serial links, which is difficult to "parse" by hand. The
protocol has port numbers, flags and sequence numbers (similar as
TCP). For TCP, wireshark offers lovely ways to view, analyze and
evaluate traffic. I would like to have the same for my serial
protocol.

Is wireshark suited to view, analyze and evaluate such a proprietary
protocol?


Yes. I've done exactly that.

I took a look to the documentation and read about dissectors. As far
as I understand essentially they could be implemented in C, Python or
Lua, is that right?


I did it in C.

I'd guess a scripting language is more comfortable to use here, so I
think I'd try to learn the basics of Python or Lua to write some frame
decoder. Also, I think a small script file would be easier to pass
around (w/o requiring to recompile/relink wireshark). Is that true?


You can build dissectors in C as plugins and easily distribute them for use
in stock Wireshark installs.

Since my protocol usually is not used on top of TCP (but plain serial
lines), I think I'd start with text2pcap with serial hex dumps, but as
far as I understood the resulting pcap file is expected to include
Ethernet frames, so I'd get a difficulty here?


You can use a different encapsulation. I no longer remember exactly what I
did, I'm afraid, but PCAP has some user-defined or reserved or something
encapsulation type that you can set to pass dissection to your dissector in
the Wireshark preferences.

Any comments appreciated,
Steffen

--Greg

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Using wireshark as decoder / viewer for proprietary protocols? Steffen Dettmer (Jan 26)
- Re: Using wireshark as decoder / viewer for proprietary protocols? Gregory Seidman (Jan 26)
- Re: Using wireshark as decoder / viewer for proprietary protocols? wsgd (Jan 26)