Custom dissector for ethertype link layer and IP protocol


This is how you can replace the default dissector for the IP protocol

local dissector_table = DissectorTable.get("ethertype")
if dissector_table ~= nil then
    dissector_table:add(0x800, p_myproto)
end

If you have a capture file with a different link layer, then you may want to read How to Dissect Anything.

To test your dissector, you can convert binary representation of a message to pcap using

od -Ax -tx1 -v myproto.bin > myproto.hex
text2pcap -l 147 myproto.hex myproto.pcap

Valid values of link type specified using option -l are in the range 147 to 162.

Next, customize the DLT_USER protocol preferences, so that your dissector gets invoked for link type 147, as shown below

DLT

You don’t have to edit protocol preferences manually. You can achieve the same from a Lua dissector as follows

local wtap_encap_table = DissectorTable.get("wtap_encap")
wtap_encap_table:add(wtap.USER0, p_myproto)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s