Re: How to use Wireshark dissectors and header fields? (looking for "WORKING" examples for windows)

[Pascal Quantin <pascal.quantin () gmail com>]

Hi Christopher,

there are several ways of writing a Wireshark dissector (using C or Lua for
example). It's up to you to decide which one is the most comfortable for
you.
I highly encourage you to read the Sharkfest presentation 'Writing a
dissector: 3 ways to eat bytes' done by Graham Bloice. The powerpoint
presentation should hoepuffly clarifies things and it even comes with
samples: https://sharkfest.wireshark.org/assets/presentations16/03.7z

Wireshark own documentation is mostly about C based dissectors, because
that's how all dissectors were written initially. You should also read
https://www.wireshark.org/docs/wsdg_html_chunked/ and other files found in
the doc folder of the source code.

Good luck and best regards,
Pascal.

2017-09-07 18:43 GMT+02:00 <Christopher.Lusardi () engilitycorp com>:

> Hello, what useful things can you give me?
>
>
>
> I’m looking for step by step description which is at the level of push
> this button, select this from this menu, type this, etc. I.E.: I’m looking
> to be able write a dissector like an expert with 10 years of experience. Is
> anyone up to the task?
>
>
>
> Also, do you have any really useful videos or Internet links that I should
> study?
>
>
>
> *Background: *
>
>
>
> I'll explain to you what my team first wants accomplished.
>
> I will explain to you what engineering data units we want. We want to
> display engineering units instead of hexadecimal digits in data fields of
> various messages in our protocol. Simply my first task, all we want are 3
> "on" and "off" values and 2 integer values.
>
> Caveat: In this background description, I'm using all make believe data
> from a Wireshark Captured data. My team doesn't want me to publish actual
> data.
>
> (1) Captured Wireshark data from three areas of Wireshark:
>
> No. Time     Source    Destination   Protocol Length Info
>
> 8   0.055974 192.2.4.8 240.199.089.0 UDP      60     53016->53016 Len=4
>
> Message:
>
> Data (4 bytes)
>
>       Data: 2043c0bd
>
>       [Length: 4]
>
> Raw Data:
>
> 20   43   c0   bd
>
> (2) My explanation of the above hexadecimal data:
>
> Byte 1:  20
>
> Byte 2:  43
>
> Byte 3:  c0
>
> Byte 4:  bd
>
> Above byte 1 has only 3 bits (above right 3 bits) that have to be
> translated to "on" or "off" values. I.E.: We want to see "on" or "off"
> instead of "1" and "0." The other bits (above left 5 bits) can be ignored
> and not shown at all in the message window. They'll still be visible in the
> raw data. The 3 right bits represent 3 separate switches.
>
> Above bytes 2 through 4 have two integer values from -127 to 127. Again
> some of the bits will not be used and can be ignored and not shown at all
> in the message window. They'll still be visible in the raw data. The bits
> that makeup the two integer values are distributed in the 3 above bytes and
> are not consecutive. Here is the actual placement of the 16 bits that
> makeup the two integer values between -127 to 127. These two integer values
> represent a single joystick which can be moved left or right from a resting
> position.
>
> 0   1    0    0   X7   X6   Y7   Y6
>
> 1   1   X5   X4   X3   X2   X1   X0
>
> 1   0   Y5   Y4   Y3   Y2   Y1   Y1
>
> So, my team wants me to pick out the above bits to create and display two
> integer values.
>
> X7  X6  X5  X4  X3  X2  X1  X0  Equals some value from -127 to 127
>
> Y7  Y6  Y5  Y4  Y3  Y2  Y1  Y0  Equals some value from -127 to 127
>
> FYI: This is only my preliminary initial task. I.E.: This is the first
> message that my team wants me to create a dissector for. There are other
> messages that I will be given later to work on and display in a nice way.
>
>
>
> FYI: By "left" and "right", as in "left 5 bits" and "right 3 bits", I mean
> "upper" and "lower", so that the high-order bit, and the 4 bits below it,
> are the "left 5 bits", and the 3 bits below that, going down to the
> low-order bit, are the "right 3 bits", so that, for 0x20, which is 00100000
> in binary, the "left 5 bits" are "00100", and the "right 3 bits" are "000",
> and all 3 bits are "off", and the "00100" can be ignored.
>
>
>
> *QUESTIONS:*
>
>
>
> Question 1: Can someone give me a step by step procedure to build a useful
> working dissector that will run on Windows? Again, I’m looking for a
> detailed enough description that a 15 year old could follow.
>
>
>
> I’m not a complete numbskull. Yes, I have never worked with a dissector
> before, but I’m a fairly good C/C++ programmer.
>
>
>
> Are there different kinds of dissectors, please explain?
>
>
>
> I have looked at the following Developer’s guide, but since I’m a novice I
> get easily lost and cannot use it.
>
>
>
> https://code.wireshark.org/review/gitweb?p=wireshark.git;
> a=blob_plain;f=doc/README.dissector
>
>
>
> I have attached a screen dump showing the contents of my Wireshark folder
> along with a greatly edited screen dump showing some of the protocols on my
> laptop. I was thinking these may help you find a few example dissectors
> that will work on Windows. I have also attached an edited screen dump
> showing my system configuration. (I deleted what looked like IP address’
> from the screen dumps.)
>
>
>
> Question 2: The file packet-PROTOABBREV.c
> <https://github.com/boundary/wireshark/blob/master/doc/packet-PROTOABBREV.c>
>  mentioned in the Wireshark Developer's guide
> <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=doc/README.dissector> doesn't
> look anything like the file in the YouTube video (see the code in this
> video starting at 5 seconds: Packet Class: Wireshark - Lua Protocol
> Dissectors <https://www.youtube.com/watch?v=I4nf23HywmI>), why is that? I
> do not have Lua installed on my laptop!
>
>
>
> packet-PROTOABBREV.c
> <https://github.com/boundary/wireshark/blob/master/doc/packet-PROTOABBREV.c>
>
>
> https://github.com/boundary/wireshark/blob/master/doc/packet-PROTOABBREV.c
>
>
>
> Video:
>
> https://www.youtube.com/watch?v=I4nf23HywmI
>
>
>
> Question 3: How can I use header fields to solve my above problem a
> different way? Again, I would like a simple but useful working example.
>
>
>
> Question 4: How does a novice use the Wireshark Developer’s guide?
>
>
>
> Question 5: So, can you give me a link to some working dissectors that I
> can use on my Windows laptop.
>
>
>
> Question 6: What are the limitations on using dissectors versus header
> fields?
>
>
>
> I’m hoping that I can get some useful examples that I can modify to meet
> my needs at work. The more the merrier!
>
>
>
> Thank you,
>
> ____________________________________________________________
> _______________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org?subject=
> unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe