Writing a custom Wireshark dissector plugin

| 3 Comments

I've been spending a little time recently writing a custom Wireshark dissector plugin for the UDT protocol. This didn't prove to be that difficult once I got over the initial problem of actually getting the Wireshark source to build with VS2008. My problem was that I'd found a CodeProject article which is now slightly out of date and which I followed too closely - setting up the Platform SDK version that the article stated was required. In fact the source code has moved on since then and now needs a later version. Eventually I switched to using the latest Platform SDK and things built fine. I expect they'd also build fine with a straight VS2008 system with no additional Platform SDK installed but I haven't tried that yet.

Anyway, once you have the source building the CodeProject article by Ken Thompson on writing a custom dissector is quite useful; it's certainly a great kick start into developing a plugin. Then, of course, there's the source code to the standard plugins and the official developer Readme file.

Building a dissector for a relatively simple protocol such as UDT is pretty easy and didn't take very long and it's well worth doing if you're working with protocols that Wireshark doesn't understand as standard. It's much much easier to look at a packet trace with even a partially completed custom dissector rather than simply looking at raw UDP packets and doing the decode in your head.

Of course, having built my dissector I now realise that the reason I was having trouble doing a decode in my head was that the example UDT client and server speak a slightly different protocol to the one that's documented in the unofficial UDT protocol specification document.

Looks like "check that the documentation is up to date" is becoming a bit of a theme with my UDT work.

3 Comments

Dear Mr. Len Holgate,

I need to build a wireshark dissector plugin for UDT also. Could you send me the code you have written?

Marcos,

I had a rather unfortunate virtual machine accident whereby I've lost the machine I was hacking around with the dissector on... It wasn't named what I thought...

Anyway, my UDT work is on hold at present which means I haven't bothered trying to find the machine more than a couple of times. I'll take a look today and see if I can find it. I hope it wasn't deleted in my last 'clean up of old machines that are taking up too much space'.

I hadn't set up the code in svn as it was just a quick test hack, but hopefully it wont take me too long to reproduce it from my notes if I have lost the VM for good.

Sorry.

Dear Mr. Len Holgate,

Thanks for your reply! I'll wait for your search.

Thanks in advance!

Regards,

Marcos

Leave a comment