A protocol name must be unique : do not choose an already existent name.
PROTONAME Example_1 Protocol PROTOSHORTNAME Example_1 # 1 word only PROTOABBREV example_1 # 1 word lower case only
Specify when the protocol is called.
PARENT_SUBFIELD tcp.port # More info PARENT_SUBFIELD_VALUES 20027 9807 2002 PARENT_SUBFIELD_RANGE <low port> <high port>
If PARENT_SUBFIELD is a string field, PARENT_SUBFIELD_VALUES must also be string values.
In this case, note that 20027 is NOT a string and "20027" is a string ("" are removed).
These parameters could be repeated if there are many parent protocols.
Specify when the protocol is called as an Heuristic dissector.
PARENT_HEURISTIC tcp # More info HEURISTIC_FUNCTION <heuristic_fct> # More info
You could have many PARENT_HEURISTIC but only 1 (or 0) HEURISTIC_FUNCTION.
A protocol could be his own parent protocol (but not the only one).
Specify when the protocol can be added as Decode as dissector.
ADD_FOR_DECODE_AS_TABLE can.subdissector # More info
You could have many ADD_FOR_DECODE_AS_TABLE
All following parameters refers to what is defined into PROTO_TYPE_DEFINITIONS section, so what is inside <file>.desc
# Message's header type. # The beginning of the message. # The header must contains MSG_ID_FIELD_NAME, MSG_TITLE and any MSG_SUMMARY_SUBSIDIARY_FIELD_NAMES. MSG_HEADER_TYPE T_msg_header_type # Field which permits to identify the message type. # Must be part of MSG_HEADER_TYPE. MSG_ID_FIELD_NAME Type # More info # Optional parameter. # Field displayed into Info column (instead of MSG_ID_FIELD_NAME) # Must be part of MSG_HEADER_TYPE. MSG_TITLE Msg_Title # Optional parameter. # Fields displayed into the 1st line. # The specified fields must be part of MSG_HEADER_TYPE. MSG_SUMMARY_SUBSIDIARY_FIELD_NAMES Size # Optional parameter. But highly recommended and very useful in some cases. # Specifies the total length (in bytes) of a message. # This length is computed from a field inside the MSG_HEADER_TYPE. # If there is a field called Size which specifies the total length of the message : MSG_TOTAL_LENGTH Size # Or if this Size field specifies the length after the header (and the header length is 12) : MSG_TOTAL_LENGTH Size + 12 # Optional parameter. # Specifies the length (in bytes) of the message's header. # Must be a constant (not an expression). MSG_HEADER_LENGTH 12 # Optional parameter. # Only effect is to be able to use (*) or [*] at the end of the message. # Specifies the length (in bytes) of the message's trailer. # Must be a constant (not an expression). MSG_TRAILER_LENGTH 3 # Optional parameter. # Default value is "no". # If you are sure that your packets always contains complete messages, you can uncomment : # PACKET_CONTAINS_ONLY_COMPLETE_MSG yes # Optional parameter. # Default value is "no". # If you are sure that your packets always contains only 1 message, you can uncomment : # PACKET_CONTAINS_ONLY_1_MSG yes # Optional parameter. # Default value is "no". # If you want to access wireshark pinfo, you can uncomment : # MANAGE_WIRESHARK_PINFO yes # The main message type. # Must begins by the header. # Following a basic scheme, it could be a switch case depending on # the MSG_ID_FIELD_NAME field which is inside MSG_HEADER_TYPE. MSG_MAIN_TYPE T_msg_switch(Type) # More info # Some protocols have identical message identifier depending on the emitter. # E.g. : # T_msg_action_request client -> server with msg id = 23 # T_msg_action_report server -> client with msg id = 23 also ! # In this case, you must have 2 switch case (instead of the previous one). # The good one will be choose depending on PARENT_SUBFIELD_VALUES. MSG_FROM_MAIN_TYPE T_msg_from_switch(Type) MSG_TO_MAIN_TYPE T_msg_to_switch(Type)
Only if you have some data that must be decoded by another (sub) protocol.
You must specify the field name that will be used by this (sub) protocol into its own PARENT_SUBFIELD parameter.
# The type of the field must be uint8, uint16, uint24, uint32 or string. SUBFIELD <subfield name> <subfield type> # If you have 2 fields, use the following : SUBFIELD <pseudo subfield name> <subfield type> from <real_field_1> <real_field_2>
Then you must use subproto or insproto into <file>.desc.
# Optional parameter. # The global data type. # Must be a struct. # Must contains only variables. GLOBAL_DATA_TYPE T_global_data
Then you can use anywhere all the variables defined into this struct.
You must use the full variable name prefixed by "global.".
More info
# Optional parameter(s).
# Add menu(s) into Statistics menu.
STATISTICS "menu name" [ "topic name" field_name ]
STATISTICS "menu name2" [ "topic name" field_name,
...,
"topic nameN" field_nameN ]
STATISTICS "another menu name" [
"sub menu name1" [ "topic name1" field_name1, ..., "topic name1N" field_name1N ],
...,
"sub menu nameN" [ "topic nameN" field_nameN ],
]
At the end of the file only.
Could have many includes.
PROTO_TYPE_DEFINITIONS # Debug flag only for interpreting the types # DEBUG include example_1.fdesc ;