To define your first protocol with Generic Dissector, you need to create 2 text files :
- my_first_proto.fdesc
- my_first_proto.wsgd
Your protocol contains few messages.
You must describe them inside my_first_proto.fdesc
Let's say your message is identified by a 16 bits integer.
As you want to display/use a clear name, you must use an enum.
enum16 T_my_msg_id { my_msg_Xxx 1001 my_msg_yYy 1002 my_msg_zzZ 1003 # ... }
All your messages begin by the header which contains at least :
- the message identifier field
- a field about the length of the message.
And do not forget to specify, at the beginning, the data byte order :
- big endian (also known as network, motorola : the bytes are not inverted)
- little endian (also known as intel : the bytes are inverted)
struct T_my_msg_header { byte_order big_endian ; T_my_msg_id msg_id ; uint16 size_after_header ; # ... }
All your messages begin by the header.
The data byte order is already specified inside the header.
struct T_my_msg_xxx { T_my_msg_header header ; # ... }
You need to link each message identifier with the corresponding message type.
You must define a switch with a parameter = message identifier type.
switch T_my_msg_switch T_my_msg_id { case T_my_msg_id::my_msg_Xxx : T_my_msg_xxx "" ; case T_my_msg_id::my_msg_yYy : T_my_msg_yyy "" ; case T_my_msg_id::my_msg_zzZ : T_my_msg_zzz "" ; # ... default : # No time to describe all the messages T_my_msg_header header ; raw(size_after_header) the_end_of_the_message ; }
See Wsgd file description for more details.
PROTONAME My First Protocol PROTOSHORTNAME My_First PROTOABBREV my_first # Specify when the protocol is used. # Change the port, at least, to see your data. PARENT_SUBFIELD tcp.port PARENT_SUBFIELD_VALUES 20127 MSG_HEADER_TYPE T_my_msg_header MSG_ID_FIELD_NAME msg_id MSG_SUMMARY_SUBSIDIARY_FIELD_NAMES size_after_header MSG_TOTAL_LENGTH size_after_header + 8 # 8 is the size of the header in this example MSG_MAIN_TYPE T_my_msg_switch(msg_id) PROTO_TYPE_DEFINITIONS include my_first_proto.fdesc ;