Re: data link type option in wireshark

[Guy Harris <guy () alum mit edu>]

On Aug 18, 2010, at 12:30 AM, upendra.allu () wipro com wrote:

> Thanks a lot for you reply.
> Let me put my question more clearly.
>
> In my current Wireshark, when decoding my own plug-ins, the order of
> dissection is:
>
> Frame
> Ethernet
> Internet Protocol
> User Datagram Protocol (UDP)
> My-plugin
>
> Now for dissecting My-plugin, I have to dissect from Ethernet to
> My-plugin every time.

Yes, that's the way Wireshark works.

> All my plug-ins is on top IP layer (either on UDP
> or on SCTP). Now for decoding My-plugin every time I have to start
> decoding from a common Data Link type (Ethernet) which is time
> consuming. So I want to know that is it possible to directly decode
> My-plugin?

Not if your capture file is a capture of Ethernet traffic.  Wireshark cannot magically figure out that a given Ethernet 
packet happens to contain an IP packet without, at minimum, looking at the Ethernet type/length field; it cannot figure 
out that a given IP packet is a UDP packet without, at minimum, looking at the IP protocol number field; and it cannot 
figure out that a given UDP packet is a packet for your protocol without, at minimum, looking at either the UDP port 
numbers (if your dissector is registered with a UDP port or you've used Decode As) or the contents of the payload (if 
your dissector is a heuristic dissector).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe