How to use Wireshark dissectors and header fields? (looking for "WORKING" examples for windows)

[Christopher.Lusardi () engilitycorp com]

Hello, what useful things can you give me?

I'm looking for step by step description which is at the level of push this button, select this from this menu, type 
this, etc. I.E.: I'm looking to be able write a dissector like an expert with 10 years of experience. Is anyone up to 
the task?

Also, do you have any really useful videos or Internet links that I should study?

Background:

I'll explain to you what my team first wants accomplished.
I will explain to you what engineering data units we want. We want to display engineering units instead of hexadecimal 
digits in data fields of various messages in our protocol. Simply my first task, all we want are 3 "on" and "off" 
values and 2 integer values.
Caveat: In this background description, I'm using all make believe data from a Wireshark Captured data. My team doesn't 
want me to publish actual data.
(1) Captured Wireshark data from three areas of Wireshark:
No. Time     Source    Destination   Protocol Length Info
8   0.055974 192.2.4.8 240.199.089.0 UDP      60     53016->53016 Len=4
Message:
Data (4 bytes)
      Data: 2043c0bd
      [Length: 4]
Raw Data:
20   43   c0   bd
(2) My explanation of the above hexadecimal data:
Byte 1:  20
Byte 2:  43
Byte 3:  c0
Byte 4:  bd
Above byte 1 has only 3 bits (above right 3 bits) that have to be translated to "on" or "off" values. I.E.: We want to 
see "on" or "off" instead of "1" and "0." The other bits (above left 5 bits) can be ignored and not shown at all in the 
message window. They'll still be visible in the raw data. The 3 right bits represent 3 separate switches.
Above bytes 2 through 4 have two integer values from -127 to 127. Again some of the bits will not be used and can be 
ignored and not shown at all in the message window. They'll still be visible in the raw data. The bits that makeup the 
two integer values are distributed in the 3 above bytes and are not consecutive. Here is the actual placement of the 16 
bits that makeup the two integer values between -127 to 127. These two integer values represent a single joystick which 
can be moved left or right from a resting position.
0   1    0    0   X7   X6   Y7   Y6
1   1   X5   X4   X3   X2   X1   X0
1   0   Y5   Y4   Y3   Y2   Y1   Y1
So, my team wants me to pick out the above bits to create and display two integer values.
X7  X6  X5  X4  X3  X2  X1  X0  Equals some value from -127 to 127
Y7  Y6  Y5  Y4  Y3  Y2  Y1  Y0  Equals some value from -127 to 127
FYI: This is only my preliminary initial task. I.E.: This is the first message that my team wants me to create a 
dissector for. There are other messages that I will be given later to work on and display in a nice way.

FYI: By "left" and "right", as in "left 5 bits" and "right 3 bits", I mean "upper" and "lower", so that the high-order 
bit, and the 4 bits below it, are the "left 5 bits", and the 3 bits below that, going down to the low-order bit, are 
the "right 3 bits", so that, for 0x20, which is 00100000 in binary, the "left 5 bits" are "00100", and the "right 3 
bits" are "000", and all 3 bits are "off", and the "00100" can be ignored.

QUESTIONS:

Question 1: Can someone give me a step by step procedure to build a useful working dissector that will run on Windows? 
Again, I'm looking for a detailed enough description that a 15 year old could follow.

I'm not a complete numbskull. Yes, I have never worked with a dissector before, but I'm a fairly good C/C++ programmer.

Are there different kinds of dissectors, please explain?

I have looked at the following Developer's guide, but since I'm a novice I get easily lost and cannot use it.

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=doc/README.dissector

I have attached a screen dump showing the contents of my Wireshark folder along with a greatly edited screen dump 
showing some of the protocols on my laptop. I was thinking these may help you find a few example dissectors that will 
work on Windows. I have also attached an edited screen dump showing my system configuration. (I deleted what looked 
like IP address' from the screen dumps.)

Question 2: The file packet-PROTOABBREV.c<https://github.com/boundary/wireshark/blob/master/doc/packet-PROTOABBREV.c> 
mentioned in the Wireshark Developer's 
guide<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=doc/README.dissector> doesn't look 
anything like the file in the YouTube video (see the code in this video starting at 5 seconds: Packet Class: Wireshark 
- Lua Protocol Dissectors<https://www.youtube.com/watch?v=I4nf23HywmI>), why is that? I do not have Lua installed on my 
laptop!

packet-PROTOABBREV.c<https://github.com/boundary/wireshark/blob/master/doc/packet-PROTOABBREV.c>
https://github.com/boundary/wireshark/blob/master/doc/packet-PROTOABBREV.c

Video:
https://www.youtube.com/watch?v=I4nf23HywmI

Question 3: How can I use header fields to solve my above problem a different way? Again, I would like a simple but 
useful working example.

Question 4: How does a novice use the Wireshark Developer's guide?

Question 5: So, can you give me a link to some working dissectors that I can use on my Windows laptop.

Question 6: What are the limitations on using dissectors versus header fields?

I'm hoping that I can get some useful examples that I can modify to meet my needs at work. The more the merrier!

Thank you,

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe