On Wed, Jan 27, 2021 at 6:16 AM Björn < bjoern.peter...@missinglinkelectronics.com> wrote:
> Hi, > > we use a custom dissector to analyze custom protocol traffic. However, to > further increase the usability, we need to add protocol analysis specific > GUI elements. For now, we are not aware of a way to add a first level > plugin which can be called through an encapsulation type from a pcap file. > One other point is that we are not able to load a compiled plugin to > wireshark, if we don’t build it from source. We can’t link against > wireshark and cmake will not load the project if we install wireshark from > the APT packages. > > 1. Are implementations available to add an encapsulation type via a > plugin? > 2. Could anybody point us to examples of similar attempts? > 3. Is there already some work in progress to provide such a plugin > mechanism for extending the encapsulation types? > 4. We noticed that distributed packets, e.g. in Ubuntu 18.04 do not > allow for C plugins to be loaded. Do you know if this is common practice? > > The approach I generally do is to generate files with one of the USER encapsulations (which are reserved for private use), and then call your plugin using the DLT_USER preferences, as detailed here: https://gitlab.com/wireshark/wireshark/-/wikis/HowToDissectAnything You can then go on to save those DLT_USER preferences in a configuration profile <https://www.wireshark.org/docs/wsug_html/#ChCustConfigProfilesSection>, and later export that configuration profile and distribute it with your plugin so that it is installed as a globally available configuration profile. Is there some reason that doesn't work for you? If you're able to generate pcaps with a custom link-layer header type, then you should be able to do that. Adding a new encapsulation is possible, but to do it properly it's best to keep it in sync with the link-layer header types in libpcap files, which means following the process in wiretap/pcap-common.c <https://gitlab.com/wireshark/wireshark/-/blob/master/wiretap/pcap-common.c#L72-80> Reusing an existing link-layer header type for a different (newly defined) Wireshark encapsulation is strongly discouraged. John
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
