First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to leave only the dissectors of signaling protocols?

I have already built full versions of wireshark, but I need to make one that only interprets the signaling protocols for GSM mobile communications and IP telephony. I must also modify the capture so that it never stops, I guess that to achieve this I must modify the buffers but I have no idea how to do it until now if you could help me with this I would also appreciate it.

mefisto.fels's avatar
1
mefisto.fels
asked 2019-01-31 13:54:30 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2019-01-31 14:49:45 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Why not use tcpdump, which doesn't have all the extra dissectors, to make the captures?

grahamb's avatar grahamb (2019-01-31 14:25:48 +0000) edit
more
  • delete

Or dumpcap, which is cross-platform. You could even use tshark too, which is also cross-platform, and in theory could also be used to capture "To Infinity and Beyond!"; however, I still prefer to use dumpcap for long-term capturing.

cmaynard's avatar cmaynard (2019-01-31 14:49:24 +0000) edit
more
  • delete

Actually, I need to create an UI that returns a file with the dissection information that I request. but that does not compromise the processing speed so as not to affect the capture. I'm going to explore the functionalities of the modules that you mention, but I wanted to see if there is a way to use the dissectors that I want before the compilation, to lighten the processing load.

mefisto.fels's avatar mefisto.fels (2019-01-31 18:02:10 +0000) edit
more
  • delete
1

Note that if your capture traffic doesn't include packets for other dissectors, then they won't be doing anything apart from taking up some memory.

If you can externally limit traffic to your capture device, or concoct a capture filter that limits the captured traffic to that which you require, then you will have reduced the load considerably.

grahamb's avatar grahamb (2019-01-31 20:04:38 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

If you want to remove dissectors from Wireshark, then for each dissector you no longer want to be included with Wireshark, you'll have to reverse the process for adding a dissector as described in README.dissector and README.plugins.

For the built-in dissectors, this is a rather simple matter (at least in theory but doesn't account for dependencies if you remove a dissector that another one depends on) that basically involves removing the unwanted dissector(s) from the DISSECTOR_SRC. It's a little more involved to remove plugins, so refer to the README.plugins file for all the details.

Of course if you also want to remove pidl and/or asn1 dissectors, then you'll have to remove those dissectors from the PDL_DISSECTOR_SRC and/or ASN1_DISSECTOR_SRC, but it might be more involved than that. There are no README.pidl or README.asn1 files to go by; however there are the Pidl and Asn2wrs wiki pages, which may be of some help here.

As for continuously capturing, as mentioned in the comments to the question, your best bet is probably just to use dumpcap, tshark or tcpdump.

cmaynard's avatar
11.1k
cmaynard
answered 2019-01-31 15:33:11 +0000, updated 2019-02-09 03:38:52 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer