Re: Dissector for link layer to run before ethernet one

[John Thacker <johnthacker () gmail com>]

On Thu, Jul 20, 2017 at 7:47 AM, Mihai Cîrîc via Wireshark-dev <
wireshark-dev () wireshark org> wrote:

> Hello all,
>
> I have some capture files with packets encapsulated under ethernet. But
> these packets have a short header before the mac addresses and I am
> trying to write a dissector that would run before the ethernet one,
> parse the header and then call the ethernet dissector to continue parsing
> the rest of the packet.
>
> I was not able to find any example of this being done and I guess it would
> involve changing the entry in the wtap_encap table to replace the eth
> dissector.
>
> Any ideas on how this could be done?

The quickest way is to change the encapsulation of the files to one of the
DLT_USER types (say with editcap) and then follow the procedure outlined
here:

https://wiki.wireshark.org/HowToDissectAnything

For starters, you can simply skip over your initial header with
header_size, and then after you've written your dissector you can call it
directly with the header_proto option.

John Thacker

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe