Re: Wireshark Dissector

[suraj mukade <surajmukade () gmail com>]

It means
dissector_add_uint("ethertype", {your ethertype value}, foo_handle); alone
should work without any problem.

One more question, Is there any way to prepare sample capture file to test
our dissector?
Can we edit/modify any captured file by wireshark?


On Wed, Jun 26, 2013 at 11:31 AM, Guy Harris <guy () alum mit edu> wrote:

> On Jun 25, 2013, at 9:23 PM, suraj mukade <surajmukade () gmail com> wrote:
>
> > Thanks for the precise answer. I understood thing dissector_add_uint();
> > But I am not clear with dissector table concept.
> > Let me explain, My Ethernet frame will have some Ethernet type value
> (for example "ABCD")which wireshark doesn’t understand.
> > So if the frame with Ethernet type value="ABCD" comes how wireshark will
> know that it has to call my dissector? What is the way to register that
> value.
>
> Somebody once told you
>
> > you would have your dissector do
> >
> >          dissector_add_uint("ethertype", {your ethertype value}, {a
> handle for your dissector});
> > where {your ethertype value} is the Ethernet type value registered for
> your protocol and {a handle for your dissector} is, well, a handle for your
> dissector, created with, for example, register_dissector() or
> new_register_dissector() or create_dissector_handle() or
> new_create_dissector_handle().
>
> I would suggest that you listen to him.
>
> > Sorry if I am wrong I am trying to analog it with the call
> dissector_add("udp.port", global_foo_port, foo_handle);
> > where we are requesting Wireshark to call foo_handle on receiving packet
> on UDP port global_foo_port.
> > In short is it not sufficient to do similar call as in case of UDP?
>
> No, because we renamed dissector_add() to dissector_add_uint().  It
> *would* be analogous if you did
>
>         dissector_add_uint("udp.port", global_foo_port, foo_handle);
>
> because what you'd be doing would be
>
>         dissector_add_uint("ethertype", {your ethertype value},
> foo_handle);
>
> (the rename was done because some other routines had "port" in their name,
> but the value isn't necessarily a TCP or UDP port number, it's an arbitrary
> integral value, and we had some _string routines for registering *string*
> values in dissector tables, so we renamed the old routines to all have
> _uint to indicate that the value was an arbitrary unsigned integer value).
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe



-- 
Thank You,



"The only thing in the world we need to fear is fear itself"
Suraj Mukade,
Scientific Officer,
Bhabha Atomic Research Center, Mumbai.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe