How to write a simplest wireshark dissector(under Linux)

(current platform is Ubuntu-8.04-i386-desktop with wireshark 1.0.0 )

=== note === 
 if would be convinient if you have root password. Or else if you want to capture packet you can modify settings -for more details, see http://www.wireshark.org/lists/wireshark-dev/200809/msg00168.html

=== Build wireshark ===
  * extract source files under /wireshark, and execute "sudo ./autogen.sh && sudo./configure && sudo make install" in command line, under this directory
  * install libgtk2.0-dev and libpcap-dev, otherwise you may get confusing error message. Then install other packages reported in error messages. 
  * type "make" and wait until make finished 
  * type "sudo ./wireshark" to start, then specify Capture->Option->Interface. Then click Capture->Interface->Start. Now you can see packets captured.

=== Setup Testing environment ===

* Create following java file to generate simple UDP traffic

import java.io.IOException; import java.net.*; class UDP_Sender { public static void main(String[] args) throws IOException { //prepare packet byte[] buf = new String("This is a test for wireshark!").getBytes();//content of packet InetAddress address = InetAddress.getByName("64.233.189.104");//address that packet send to DatagramPacket packet = new DatagramPacket(buf, buf.length,address, 8888);//8888 is port number //send packet DatagramSocket socket = new DatagramSocket(); socket.send(packet); socket.close(); System.out.print("UDP sent"); } }

* To verify that you can capture program generated traffic, open wireshark, capture the traffic of above java program. ("udp && !dns && bootp" can be used as filter).

* As a preparation for generating traffic needed for dissector (refer to http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html ), change above above code to below:

import java.net.*; class UDP_Sender { /** A packet type - 8 bits, possible values: 1 - initialisation, 2 - terminate, 3 - data. * A set of flags stored in 8 bits, 0x01 - start packet, 0x02 - end packet, 0x04 - priority packet. * A sequence number - 16 bits. * An IP address. */ public static byte[] getFooContent(byte type, byte flag, short seq, String addr) throws Exception { byte[] result = new byte[8]; byte[] res_right = new byte[4]; result[0] = type; result[1] = flag; result[2] = getBytesValue(seq)[0]; result[3] = getBytesValue(seq)[1]; res_right = InetAddress.getByName(addr).getAddress(); for (int i = 0; i < 4; i++) result[i + 4] = res_right[i]; return result; } /** converse short into byte array */ public static byte[] getBytesValue(short n) { byte[] b = new byte[2]; b[0] = new Integer(n & 255).byteValue(); b[1] = new Integer((n >> 8) & 255).byteValue(); return b; } /** converse int array into byte array */ public static byte[] getBytesValue(int[] n) { byte[] b = new byte[n.length * 4]; for (int i = 0; i < n.length; i++) { for (int j = 0; j < 4; j++) b[i * 4 + 3 - j] = new Integer((n[i] >> (8 * j)) & 255) .byteValue(); } return b; } public static void main(String[] args) throws Exception { // prepare packet byte[] buf = UDP_Sender.getFooContent((byte) 1, (byte) 0x04, (short) 22, "3.3.3.3"); InetAddress address = InetAddress.getByName("192.168.2.2"); DatagramPacket packet = new DatagramPacket(buf, buf.length, address, 8888); // send packet DatagramSocket socket = new DatagramSocket(); socket.send(packet); socket.close(); } }

=== write plugin ===

* create directory foo under /wireshark/plugins/ * create packet-foo.c with the following code:

#ifdef HAVE_CONFIG_H #include "config.h" #endif #include <epan/packet.h> #include <epan/prefs.h> /* forward reference */ void proto_register_foo(); void proto_reg_handoff_foo(); static void dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree); static int proto_foo = -1; static int global_foo_port = 1234; static dissector_handle_t foo_handle; void proto_register_foo(void) { if (proto_foo == -1) { proto_foo = proto_register_protocol ( "FOO Protocol", /* name */ "FOO", /* short name */ "foo" /* abbrev */ ); } } void proto_reg_handoff_foo(void){ static gboolean initialized = FALSE; if (!initialized) { foo_handle = create_dissector_handle(dissect_foo, proto_foo); dissector_add("udp.port", global_foo_port, foo_handle); initialized = TRUE; } } static void dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { if (check_col(pinfo->cinfo, COL_PROTOCOL)) { col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); } /* Clear out stuff in the info column */ if (check_col(pinfo->cinfo,COL_INFO)) { col_clear(pinfo->cinfo,COL_INFO); } if (tree) { /* we are being asked for details */ proto_item *ti = NULL; ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, FALSE); } }

* copy rest of files from agentx to foo directory, and replace all "agentx" with "foo" inside them.

* referring to the places of agentx, you will also need to change the files found by the following command:

 

1.      cd wireshark && grep agentx -l * * /* */ */*  >& tmp.txt && cat tmp.txt | grep -v doc/ | grep -v agentx/ | grep -v wireshark-gtk

* execute following command to rebuild wireshark with plugin

1.      ./autogen.sh && ./configure --prefix=${HOME}/build/root && make install 

* now run wireshark and execute the java program to send traffic, you will find that, packet has been recognized as FOO protocol

* modify packet-foo.c into following content(for code explanation see http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html ).

 

#ifdef HAVE_CONFIG_H #include "config.h" #endif #include <epan/packet.h> #include <epan/prefs.h> /**/ /* forward reference */ void proto_register_foo(); void proto_reg_handoff_foo(); static void dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree); static int proto_foo = -1; static int hf_foo_pdu_type = -1; static int hf_foo_flags = -1; static int hf_foo_sequenceno = -1; static int hf_foo_initialip = -1; static gint ett_foo = -1; static int global_foo_port = 1234; static dissector_handle_t foo_handle; void proto_register_foo(void) { if (proto_foo == -1) { proto_foo = proto_register_protocol ( "FOO Protocol", /**//* name */ "FOO", /**//* short name */ "foo" /**//* abbrev */ ); } static hf_register_info hf[] = { { &hf_foo_pdu_type, { "FOO PDU Type", "foo.type", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_foo_flags, { "FOO PDU Flags", "foo.flags", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_foo_sequenceno, { "FOO PDU Sequence Number", "foo.seqn", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_foo_initialip, { "FOO PDU Initial IP", "foo.initialip", FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }} }; /* Setup protocol subtree array */ static gint *ett[] = { &ett_foo }; proto_register_field_array(proto_foo, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); void proto_reg_handoff_foo(void) { static gboolean initialized = FALSE; if (!initialized) { foo_handle = create_dissector_handle(dissect_foo, proto_foo); dissector_add("udp.port", global_foo_port, foo_handle); initialized = TRUE; } } static void dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { if (check_col(pinfo->cinfo, COL_PROTOCOL)) { col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); } /* Clear out stuff in the info column */ if (check_col(pinfo->cinfo,COL_INFO)) { col_clear(pinfo->cinfo,COL_INFO); } if (tree) { /* we are being asked for details */ proto_item *ti = NULL; proto_tree *foo_tree = NULL; gint offset = 0; ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, FALSE); foo_tree = proto_item_add_subtree(ti, ett_foo); proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, FALSE); offset += 1; proto_tree_add_item(foo_tree, hf_foo_flags, tvb, offset, 1, FALSE); offset += 1; proto_tree_add_item(foo_tree, hf_foo_sequenceno, tvb, offset, 2, FALSE); offset += 2; proto_tree_add_item(foo_tree, hf_foo_initialip, tvb, offset, 4, FALSE); offset += 4; } }

 

* at this moment, re-build wireshark and run it, you can see the follow screen: