Revision history [back]
Using SLL dissector output in own dissector?
Hello,
I've cobbled together my very first dissector today to decode an internal company protocol, identified by EtherType = 0x88aa.
We capture traffic in a Linux-derived computer unit using tcpdump and so the Wireshark trace includes "Linux cooked capture" of the first few octets.
I've worked around this and managed to get my dissector working on the "unicast to us (0)" packets just as I need:
0000 00 00 00 01 00 06 02 00 00 80 3b 30 00 00 88 aa
0010 01 3b 00 10 09 00 00 00 00 10 09 7b 00 00 05 00
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0030 00 00 22 00 00 30 00 00 00 00 00 00 00 00 a0 90
0040 3b 00 02 00 00 01 3b 00 02 00 00 80 3b 20 02 00
0050 00 80 3b 30
Frame 9078: 84 bytes on wire (672 bits), 84 bytes captured (672 bits)
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 1
Link-layer address length: 6
Source: 02:00:00:80:3b:30 (02:00:00:80:3b:30)
Unused: 0000
Protocol: Unknown (0x88aa)
Nokia EMB Protocol
EMB header version: 0x01
DMX message length: 34
DMX computer: 0x00003000
DMX family: OMU-0 (0x00000000)
DMX message number: EPO_SYNC_MSG_S (0x000090a0)
DMX phys_computer: GISU-1 (0x0000003b)
However I'd like to also decode the "sent by us (4)" packets too:
0000 00 04 00 01 00 06 02 00 00 80 73 30 00 00 88 aa
0010 02 00 00 80 00 30 02 00 00 80 73 30 88 aa 01 73
0020 00 d2 81 80 3b 20 02 63 86 68 00 00 05 00 00 00
0030 00 30 73 30 6b 06 00 00 00 80 00 00 e8 8d 73 00
0040 22 00 00 30 00 00 00 00 00 00 00 00 a0 90 73 00
0050 02 00 00 01 73 00 02 00 00 80 73 20 02 00 00 80
0060 73 30
Frame 9081: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
Linux cooked capture
Packet type: Sent by us (4)
Link-layer address type: 1
Link-layer address length: 6
Source: 02:00:00:80:73:30 (02:00:00:80:73:30)
Unused: 0000
Protocol: Unknown (0x88aa)
Nokia EMB Protocol
EMB header version: 0x02
My dissector really needs to start at octet 2 as this is the payload I want to decode.
So is there any way, in my dissector, I can check the sll.pkttype value that the SLL dissector generates? If it's LINUX_SLL_OUTGOING (0x0004) then my dissector can handle the rest of the message, but my dissector can only see from octet 16, after the SLL dissector has had its fill.
Will continue researching.