Writing a custom Wireshark dissector plugin

Geek Speak, Socket Servers

I’ve been spending a little time recently writing a custom Wireshark dissector plugin for the UDT protocol. This didn’t prove to be that difficult once I got over the initial problem of actually getting the Wireshark source to build with VS2008. My problem was that I’d found a CodeProject article which is now slightly out of date and which I followed too closely - setting up the Platform SDK version that the article stated was required. In fact the source code has moved on since then and now needs a later version. Eventually I switched to using the latest Platform SDK and things built fine. I expect they’d also build fine with a straight VS2008 system with no additional Platform SDK installed but I haven’t tried that yet.

Anyway, once you have the source building the CodeProject article by Ken Thompson on writing a custom dissector is quite useful; it’s certainly a great kick start into developing a plugin. Then, of course, there’s the source code to the standard plugins and the official developer Readme file.

Building a dissector for a relatively simple protocol such as UDT is pretty easy and didn’t take very long and it’s well worth doing if you’re working with protocols that Wireshark doesn’t understand as standard. It’s much much easier to look at a packet trace with even a partially completed custom dissector rather than simply looking at raw UDP packets and doing the decode in your head.

Of course, having built my dissector I now realise that the reason I was having trouble doing a decode in my head was that the example UDT client and server speak a slightly different protocol to the one that’s documented in the unofficial UDT protocol specification document.

Looks like “check that the documentation is up to date” is becoming a bit of a theme with my UDT work.