Wireshark Generic Dissector

2013/06/09

NB: this FAQ is corresponding to the current library/code.
Old library/code could have different behavior.

Limitations

Please note that Generic Dissector is not intended to :
- be able to manage all (kind of) protocols
- replace existing C or LUA dissectors
- have high performances

Performance (memory and cpu) will be a real problem if you have a lot of fields to manage.
E.g, raw(1240) is only 1 field : no problem.
But uint8[1240] is 1240 fields -> performance problem.

Not managed :
- uint64 (use int64 instead)
- text protocols (e.g. HTTP)
- more than 20 protocols (you really need more ??? send me a mail)
- automatic creation of a coloring rule to show packet containing wrong data

If you have erroneous behavior without any error/diagnostic output, check wireshark_generic_dissector_traces.txt.
This could happen when errors are inside header.

Bugs

Message identifier not shown inside packet sequence
This could happen in the following case :
packet 1 contains : msg A, msg B and 1st part of msg C
packet 2 contains : last part of msg C, msg D and msg E
Inside packet sequence, for the 2nd packet, you will only see identifier of msg C (not D, not E)

Tips

How to see packets containing errors ?

You can use display filter or coloring rule:
- expert
- expert.severity == error
- expert.severity >= warn
- ...

An error is declared when :
- packet too short
- packet too large
- value which do not respect constraints (see Data format description)
- error specifically declared by user (see command error, fatal)
- ...

I do NOT want to describe entirely my messages ?

Because :
- you do not know the complete message format
- you have no time to do it now
- ...

Then you can use the following syntax at the end of the message description : 

  raw(*)   the_end_of_my_message ;

The * means any size (until the end of the message) including zero bytes.

This syntax is possible only if Generic dissector knows where is the end of the message.
You must define MSG_TOTAL_LENGTH into <file>.wsgd

Another possibility, only if you are sure that 1 packet == 1 message, is to specify into <file>.wsgd :
PACKET_CONTAINS_ONLY_COMPLETE_MSG yes
PACKET_CONTAINS_ONLY_1_MSG yes

You can also use any_type[*] with the same constraints.

If your messages have a fixed size trailer
Then you must also define MSG_TRAILER_LENGTH into <file>.wsgd
So at the end of the message description : 

  raw(*)         the_end_of_my_message ;
  T_my_trailer   the_trailer ;
}

Problems

Wireshark does NOT start

Wireshark does NOT start : Runtime Error window

Absolutely no idea.
Look at wireshark_generic_dissector_traces.txt (set the DEBUG flag in <file>.wsgd).
See How to report a problem.

Wireshark does NOT start : Wireshark Debug Console window

This could be :
- Try to declare a PROTONAME, PROTOSHORTNAME or PROTOABBREV which already exist
- ...

Wireshark starts but
there is an error window about MSVCP71.dll missing

Some needed Microsoft DLL are not installed (or not found).
It should only happen on Windows 7.
You must unzip msvcpr71_7.10.6030.0.zip into the main directory of wireshark.

Wireshark starts but
there is an error window about generic.dll : Could not load module

Some needed Microsoft DLL are not installed (or not found).
You must download and install the good Microsoft Visual C++ Redistributable Package : 

 
  
Wireshark
		VC version
		32 bits
		64 bits
  

  
2.4.x
		VC2013
		download vcredist_x86.exe
		download vcredist_x64.exe
  

  
1.8.x to 2.2.x
		VC2010
		download
		download
  

  
Before 1.8.x
		VC2008
		download
		download


Wireshark starts but
there is an error window (about Generic dissector)

This could be a lot of things :
- error syntax into example_1.wsgd or example_1.fdesc
- find example_1.wsgd but not example_1.fdesc
- PROTOABBREV already exist
- PARENT_SUBFIELD does not exist
- more than 20 files *.wsgd
- ...

Wireshark starts but
I see nothing about my protocol

How to know if the generic dissector dll has been loaded ?

When wireshark succeed to start,
go to :
Help / About Wireshak / Plugins
and search for :
generic.dll

How to know if the generic dissector works effectively ?

When wireshark succeed to start,
go to :
Analyse / Enabled Protocols
and search for a protocol called
Example_1 (or your protocol name)

If you find it, the generic dissector works well (except for the case where PARENT_SUBFIELD does not exist).
If not, you must have seen error windows at wireshark start.

The protocol name is not found into Analyse / Enabled Protocols

- check the dll
- check the name of protocol into *.wsgd
- check the environment variable WIRESHARK_GENERIC_DISSECTOR_DIR (if defined)
- check all the directories where *.wsgd files could be found by the dll
- remove the environment variable
- put directly *.wsgd where is wireshark.exe
- launch wireshark.exe directly :
--- not from a shortcut because the working directory could be different
--- not from a *.pcap file because wireshark.exe is launched where is the *.pcap file

Wireshark starts
the protocol expected is present into Analyse / Enabled Protocols but
I see nothing about my protocol

Check that you have captured some data corresponding to
PARENT_SUBFIELD & PARENT_SUBFIELD_VALUES (into *.wsgd).

If necessary change them.

Where is wireshark_generic_dissector_traces.txt ?

wireshark_generic_dissector_traces.txt is into :
- WIRESHARK_GENERIC_DISSECTOR_TRACES_DIR (if environment variable set)
- directory where Wireshark is launched (if directory is writeable)
- C:\Users\...\Documents

How to report a problem ?

Check the web site to see if there is a newer version (look at Change Log).

Send me a mail with :
- the dll
- the files *.wsgd and *.fdesc
- the file wireshark_generic_dissector_traces.txt (which is into the directory where is launched wireshark)
- windows version
- wireshark version
- ...

CSS Template by Rambling Soul