User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 0.99.7

111

112

113

114

115

116

117

118

119

120

In order to compile this dissector and create a plugin a couple of support files are required, besides

the dissector source in packet-foo.c:

• Makefile.am - This is the UNIX/Linux makefile template

• Makefile.common - This contains the file names of this plugin

• Makefile.nmake - This contains the Wireshark plugin makefile for Windows

• moduleinfo.h - This contains plugin version info

• moduleinfo.nmake - This contains DLL version info for Windows

• packet-foo.c - This is your dissector source

• plugin.rc.in - This contains the DLL resource template for Windows

You can find a good example for these files in the agentx plugin directory. Makefile.common and

Makefile.am have to be modified to reflect the relevant files and dissector name. moduldeinfo.h and

moduleinfo.nmake have to be filled in with the version information. Compile the dissector to a DLL

or shared library and copy it into the plugin directory of the installation.

9.2.2. Dissecting the details of the protocol

Now that we have our basic dissector up and running, let's do something with it. The simplest thing

to do to start with is to just label the payload. This will allow us to set up some of the parts we will

need.

The first thing we will do is to build a subtree to decode our results into. This helps to keep things

looking nice in the detailed display. Now the dissector is called in two different cases. In one case it

is called to get a summary of the packet, in the other case it is called to look into details of the pack-

et. These two cases can be distinguished by the tree pointer. If the tree pointer is NULL, then we are

being asked for a summary. If it is non null, we can pick apart the protocol for display. So with that

in mind, let's enhance our dissector.

Example 9.4. Plugin Packet Dissection.

static void

dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)

{

if (check_col(pinfo->cinfo, COL_PROTOCOL)) {

col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO");

}

/* Clear out stuff in the info column */

if (check_col(pinfo->cinfo,COL_INFO)) {

col_clear(pinfo->cinfo,COL_INFO);

}

if (tree) { /* we are being asked for details */

proto_item *ti = NULL;

ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, FALSE);

}

What we're doing here is adding a subtree to the dissection. This subtree will hold all the details of

this protocol and so not clutter up the display when not required.

We are also marking the area of data that is being consumed by this protocol. In our case it's all that

has been passed to us, as we're assuming this protocol does not encapsulate another. Therefore, we

add the new tree node with proto_tree_add_item, adding it to the passed in tree, label it with the pro-

tocol, use the passed in tvb buffer as the data, and consume from 0 to the end (-1) of this data. The

Packet dissection

103