Custom dissector for ethertype link layer and IP protocol

This is how you can replace the default dissector for the IP protocol

local dissector_table = DissectorTable.get("ethertype")
if dissector_table ~= nil then
    dissector_table:add(0x800, p_myproto)

If you have a capture file with a different link layer, then you may want to read How to Dissect Anything.

To test your dissector, you can convert binary representation of a message to pcap using

od -Ax -tx1 -v myproto.bin > myproto.hex
text2pcap -l 147 myproto.hex myproto.pcap

Valid values of link type specified using option -l are in the range 147 to 162.

Next, customize the DLT_USER protocol preferences, so that your dissector gets invoked for link type 147, as shown below


You don’t have to edit protocol preferences manually. You can achieve the same from a Lua dissector as follows

local wtap_encap_table = DissectorTable.get("wtap_encap")
wtap_encap_table:add(wtap.USER0, p_myproto)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s