Re: New Protocol encapsulation as plugin

[John Thacker <johnthacker () gmail com>]

On Wed, Jan 27, 2021 at 6:16 AM Björn <
bjoern.petersen () missinglinkelectronics com> wrote:

> Hi,
>
> we use a custom dissector to analyze custom protocol traffic. However, to
> further increase the usability, we need to add protocol analysis specific
> GUI elements. For now, we are not aware of a way to add a first level
> plugin which can be called through an encapsulation type from a pcap file.
> One other point is that we are not able to load a compiled plugin to
> wireshark, if we don’t build it from source. We can’t link against
> wireshark and cmake will not load the project if we install wireshark from
> the APT packages.
>
>    1. Are implementations available to add an encapsulation type via a
>    plugin?
>    2. Could anybody point us to examples of similar attempts?
>    3. Is there already some work in progress to provide such a plugin
>    mechanism for extending the encapsulation types?
>    4. We noticed that distributed packets, e.g. in Ubuntu 18.04 do not
>    allow for C plugins to be loaded. Do you know if this is common practice?
The approach I generally do is to generate files with one of the USER
encapsulations (which are reserved for private use), and then call your
plugin using the DLT_USER preferences, as detailed here:

https://gitlab.com/wireshark/wireshark/-/wikis/HowToDissectAnything

You can then go on to save those DLT_USER preferences in a configuration
profile
<https://www.wireshark.org/docs/wsug_html/#ChCustConfigProfilesSection>,
and later export that configuration profile and distribute it with your
plugin so that it is installed as a globally available configuration
profile.

Is there some reason that doesn't work for you? If you're able to generate
pcaps with a custom link-layer header type, then you should be able to do
that.
Adding a new encapsulation is possible, but to do it properly it's best to
keep it in sync with the link-layer header types in libpcap files, which
means following the process in wiretap/pcap-common.c
<https://gitlab.com/wireshark/wireshark/-/blob/master/wiretap/pcap-common.c#L72-80>
Reusing an existing link-layer header type for a different (newly defined)
Wireshark encapsulation is strongly discouraged.

John

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe