Wireshark supports Windows natively via the Windows API. Note that in this documentation and elsewhere we tend to use the terms “Win32”, “Win”, and “Windows” interchangeably to refer to the Windows API. Wireshark runs on and can be compiled on the following platforms:

Development on Windows Vista, Server 2008, and older versions may be possible but is not supported.

Most of Wireshark is implemented in plain ANSI C. A notable exception is the code in ui/qt, which is written in C++.

The typical task for a new Wireshark developer is to extend an existing, or write a new dissector for a specific network protocol. As (almost) any dissector is written in plain old ANSI C, a good knowledge about ANSI C will be sufficient for Wireshark development in almost any case.

So unless you are going to change the build process of Wireshark itself, you won’t come in touch with any other programming language than ANSI C (such as Perl or Python, which are used only in the Wireshark build process).

Beside the usual tools for developing a program in C (compiler, make, …​), the build process uses some additional helper tools (Perl, Python, Sed, …​), which are needed for the build process when Wireshark is to be build and installed from the released source packages. If Wireshark is installed from a binary package, none of these helper tools are needed on the target system.

Wireshark is an open source software (OSS) project, and is released under the GNU General Public License (GPL). You can freely use Wireshark on any number of computers you like, without worrying about license keys or fees or such. In addition, all source code is freely available under the GPL. Because of that, it is very easy for people to add new protocols to Wireshark, either as plugins, or built into the source, and they often do!

You are welcome to modify Wireshark to suit your own needs, and it would be appreciated if you contribute your improvements back to the Wireshark community.

You gain three benefits by contributing your improvements back to the community:

The Wireshark source code and binary packages for some platforms are all available on the download page of the Wireshark website: https://www.wireshark.org/download.html.

Binary distributions are usually easy to install (as simply starting the appropriate file is usually the only thing to do). They are available for the following systems:

However, if you want to start developing with Wireshark, the binary distributions won’t be too helpful, as you need the source files, of course.

For details about how to build these binary distributions yourself, e.g. if you need a distribution for a special audience, see Section 3.11, “Binary packaging”.

It’s still common for UNIX developers to give the end user a source tarball and let the user compile it on their target machine (configure, make, make install). However, for different UNIX (Linux) distributions it’s becoming more common to release binary packages (e.g. .deb or .rpm files) these days.

You should use the released sources if you want to build Wireshark from source on your platform for productive use. However, if you going to develop changes to the Wireshark sources, it might be better to use the latest GIT sources. For details about the different ways to get the Wireshark source code see Section 3.3, “Obtain the Wireshark sources”.

Before building Wireshark from a source distribution, make sure you have all the tools and libraries required to build. The following chapters will describe the required tools and libraries in detail.

The Buildbot will do the following (to a different degree on the different platforms):

Each step is represented at the status page by a rectangle, green if it succeeded or red if it failed. Most steps provide a link to the corresponding console logfile, to get additional information.

The Buildbot runs on a platform collection that represents the different "platform specialties" quite well:

and two buildslaves that run static code analysis to help spot coding issues:

Each platform is represented at the status page by a single column, the most recent entries are at the top.

You will find lots of useful information on the Wireshark homepage at https://www.wireshark.org/.

The Wireshark Wiki at https://wiki.wireshark.org/ provides a wide range of information related to Wireshark and packet capturing in general. You will find a lot of information not part of this developer’s guide. For example, there is an explanation how to capture on a switched network, an ongoing effort to build a protocol reference and a lot more.

And best of all, if you would like to contribute your knowledge on a specific topic (maybe a network protocol you know well), you can edit the Wiki pages by simply using your webbrowser.

The "Frequently Asked Questions" will list often asked questions and the corresponding answers.

Before sending any mail to the mailing lists below, be sure to read the FAQ, as it will often answer any questions you might have. This will save yourself and others a lot of time. Keep in mind that a lot of people are subscribed to the mailing lists.

You will find the FAQ inside Wireshark by clicking the menu item Help/Contents and selecting the FAQ page in the upcoming dialog.

An online version is available at the Wireshark website: https://www.wireshark.org/faq.html. You might prefer this online version as it’s typically more up to date and the HTML format is easier to use.

If you don’t find the information you need inside this book, there are various other sources of information:

	Read the README
	README.developer is packed full with all kinds of details relevant to the developer of Wireshark source code. Its companion file README.dissector advises you around common pitfalls, shows you basic layout of dissector code, shows details of the APIs available to the dissector developer, etc.

There are several mailing lists available on specific Wireshark topics:

You can subscribe to each of these lists from the Wireshark web site: https://www.wireshark.org/lists/. From there, you can choose which mailing list you want to subscribe to by clicking on the Subscribe/Unsubscribe/Options button under the title of the relevant list. The links to the archives are included on that page as well.

	The archives are searchable
	You can search in the list archives to see if someone previously asked the same question and maybe already got an answer. That way you don’t have to wait until someone answers your question.

The Wireshark community collects bug reports in a Bugzilla database at https://bugs.wireshark.org/. This database is filled with manually filed bug reports, usually after some discussion on wireshark-dev, and automatic bug reports from the Buildbot tools.

The Wireshark Q&A site at https://ask.wireshark.org/ offers a resource where questions and answers come together. You have the option to search what questions were asked before and what answers were given by people who knew about the issue. Answers are graded, so you can pick out the best ones easily. If your issue isn’t discussed before you can post one yourself.

	Test with the latest version
	Before reporting any problems, please make sure you have installed the latest version of Wireshark. Reports on older maintenance releases are usually met with an upgrade request.

If you report problems, provide as much information as possible. In general, just think about what you would need to find that problem, if someone else sends you such a problem report. Also keep in mind that people compile/run Wireshark on a lot of different platforms.

When reporting problems with Wireshark, it is helpful if you supply the following information:

	Don’t send large files
	Do not send large files (>100KB) to the mailing lists, just place a note that further data is available on request. Large files will only annoy a lot of people on the list who are not interested in your specific problem. If required, you will be asked for further data by the persons who really can help you.

	Don’t send confidential information
	If you send captured data to the mailing lists, or add it to your bug report, be sure it doesn’t contain any sensitive or confidential information, such as passwords. Visibility of such files can be limited to certain groups in the Bugzilla database though.

When reporting crashes with Wireshark, it is helpful if you supply the traceback information (besides the information mentioned in Section 1.7.8, “Reporting Problems”).

You can obtain this traceback information with the following commands:

$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& bt.txt
backtrace
^D
$

Using GDB

Type the characters in the first line verbatim. Those are back-tics there. backtrace is a gdb command. You should enter it verbatim after the first line shown above, but it will not be echoed. The ^D (Control-D, that is, press the Control key and the D key together) will cause gdb to exit. This will leave you with a file called bt.txt in the current directory. Include the file with your bug report. If you do not have gdb available, you will have to check out your operating system’s debugger.

You should mail the traceback to wireshark-dev[AT]wireshark.org or attach it to your bug report.

You can download Windows debugging symbol files (.pdb) from the following locations:

Files are named "Wireshark-pdb-winbits-x.y.z.zip" to match their corresponding "Wireshark-winbits-x.y.z.exe" installer packages.

You need to install, in exactly this order:

Select the "Custom" install and then uncheck all the optional components other than "Common Tools for Visual C++ 2015" (unless you want to use them for purposes other than Wireshark).

You can use Chocolatey to install Visual Studio, to correctly configure the installation, copy the deployment XML file msvc2015AdminDeployment.xml from the source code tools directory and pass the path the file to the chocolatey install command:

PS$>choco install -y VisualStudio2015Community --timeout 0 -package-parameters "--AdminFile path\to\msvc2015AdminDeployment.xml"

You can use other Microsoft C compiler variants, but VS2015 is used to build the development releases and is the preferred option. It’s possible to compile Wireshark with a wide range of Microsoft C compiler variants. For details see Section 4.6, “Microsoft compiler toolchain (Windows native)”.

You may have to do this as Administrator.

Compiling with gcc or Clang is not recommended and will certainly not work (at least not without a lot of advanced tweaking). For further details on this topic, see Section 4.5, “GNU compiler toolchain (UNIX only)”. This may change in future as releases of Visual Studio add more cross-platform support.

Why is this recommended? While this is a huge download, Visual Studio 2015 Community Edition is the only free (as in beer) versions that includes the Visual Studio integrated debugger. Visual Studio 2015 is also used to create official Wireshark builds, so it will likely have fewer development-related problems.

The main Wireshark application uses the Qt windowing toolkit. To install Qt download the Qt Online Installer for Windows from the Qt Project "Download Open Source" page and select a component that matches your target system and compiler. For example, the “msvc2015 64-bit” component is used to build the official 64-bit packages. You can deselect all the Qt xxxx (e.g. Qt Charts) components as they aren’t required.

Note that installation of separate Qt components are required for 32 bit and 64 bit builds, e.g. “msvc2015 32-bit” and “msvc2015 64-bit”. The environment variable QT5_BASE_DIR should be set as appropriate for your environment and should point to the Qt directory that contains the bin directory, e.g. C:\Qt\5.9.1\msvc2015_64

The Qt maintenance tool (C:\Qt\MaintenanceTool.exe) can be used to upgrade Qt to newer versions.

Chocolatey is a native package manager for Windows. There are packages for most of the software listed below. Along with traditional Windows packages it supports the Python Package Index and Cygwin.

Chocolatey tends to install packages into its own path (%ChocolateyInstall%). In most cases this is OK, but in some instances (Python in particular) this might not be what you want. You can install Chocolatey packages using the command choco install.

> rem Flex and Bison are required.
> choco install -y winflexbison
> rem Git, CMake, Perl, Python, etc are also required, but can be installed
> rem via their respective installation packages.
> choco install -y git cmake
> rem Choose one of Strawberry...
> choco install -y strawberryperl
> rem ...or ActiveState Perl
> choco install -y activeperl
> rem This will likely install Python in a non-standard location, but
> rem should otherwise work.
> choco install -y python3

On 32-bit Windows, download the 32-bit Cygwin installer and start it. On 64-bit Windows, download the 64-bit Cygwin installer and start it.

	Cygwin is no longer required
	In the past the Wireshark development toolchain depended on Cygwin, but it it no longer required. Although you can often use the Cygwin version of a particular tool for Wireshark development that’s not always the case.

At the "Select Packages" page, you’ll need to select some additional packages which are not installed by default. Navigate to the required Category/Package row and, if the package has a "Skip" item in the "New" column, click on the "Skip" item so it shows a version number for:

You might also have to install

if installing Devel/bison doesn’t provide a working version of Bison. If m4 is missing bison will fail.

After clicking the Next button several times, the setup will then download and install the selected packages (this may take a while).

Alternatively you can install Cygwin and its packages using Chocolatey:

PS$>choco install -y cygwin
PS$>choco install -y cyg-get

Chocolatey installs Cygwin in C:\tools\cygwin by default.

You can directly download packages via cyg-get

PS$>cyg-get docbook-xml45 [...]

Get the Python 3.5 or 2.7 installer from http://python.org/download/ and install Python into the default location (C:\Python35 or C:\Python27).

Why is this recommended? Cygwin’s /usr/bin/python is a Cygwin-specific symbolic link which cannot be run from Windows. The native package is faster as well.

Alternatively you can install Python using Chocolatey:

PS$>choco install -y python3

or

PS$>choco install -y python2

Chocolatey installs Python in C:\tools\python3 and C:\tools\python2 by default.

Please note that the following is not required to build Wireshark but can be quite helpful when working with the sources.

Working with the Git source repositories is highly recommended, as described in Section 3.3, “Obtain the Wireshark sources”. It is much easier to update a personal source tree (local repository) with Git rather than downloading a zip file and merging new sources into a personal source tree by hand. It also makes first-time setup easy and enables the Wireshark build process to determine your current source code revision.

There are several ways in which Git can be installed. Most packages are available at the URLs below or via Chocolatey. Note that many of the GUI interfaces depend on the command line version.

If installing the Windows version of git select the Use Git from the Windows Command Prompt (in chocolatey the /GitOnlyOnPath option). Do not select the Use Git and optional Unix tools from the Windows Command Prompt option (in chocolatey the /GitAndUnixToolsOnPath option).

PS$> choco install -y git

Get the CMake installer from https://cmake.org/download/ and install CMake into the default location. Ensure the directory containing cmake.exe is added to your path.

Alternatively you can install CMake using Chocolatey:

PS$>choco install -y cmake

Chocolatey ensures cmake.exe is on your path.

Asciidoctor can be run directly as a Ruby script or via a Java wrapper (AsciidoctorJ). It is used in conjunction with Xsltproc and DocBook to generate the documenation you’re reading and the User’s Guide.

The easiest way to install them on Windows is via Chocolatey:

PS$>choco install -y asciidoctorj xsltproc docbook-bundle

Chocolatey ensures that asciidoctorj.exe and xsltproc.exe is on your path and that xsltproc uses the DocBook catalog.

	Make sure everything works
	It’s a good idea to make sure Wireshark compiles and runs at least once before you start hacking the Wireshark sources for your own project. This example uses Git Extensions but any other Git client should work as well.

Download sources Download Wireshark sources into C:\Development\wireshark using either the command line or Git Extensions:

Using the command line:

>cd C:\Development
>git clone https://code.wireshark.org/review/wireshark

Using Git extensions:

From the Start Menu (or Start Screen), navigate to the ‘Visual Studio 2015’ folder and choose the Command Prompt appropriate for the build you wish to make, e.g. ‘VS2015 x64 Native Tools Command Prompt’ for a 64-bit version or ‘VS2015 x86 Native Tools Command Prompt’ for a 32-bit version. Depending on your version of Windows the Command Prompt list might be directly under ‘Visual Studio 2015’ or you might have to dig for it under multiple folders, e.g. ‘Visual Studio 2015 → Visual Studio Tools → Windows Desktop Command Prompts’.

	Pin the items to the Task Bar
	Pin the Command Prompt you use to the Task Bar for easy access.

All subsequent operations take place in this Command Prompt window.

CMake is used to process the CMakeLists.txt files in the source tree and produce build files appropriate for your system.

You can generate Visual Studio solution files to build either from within Visual Studio, or from the command line with MSBuild. CMake can also generate other build types but they aren’t supported.

The initial generation step is only required the first time a build directory is created. Subsequent builds will regenerate the build files as required.

If you’ve closed the Visual Studio Command Prompt prepare it again.

To generate the build files enter the following at the Visual Studio command prompt:

> cmake -G "Visual Studio 14 2015" ..\wireshark

Adjusting the paths as required to Python and the wireshark source tree. To use a different generator modify the -G parameter. cmake -G lists all the CMake supported generators, but only Visual Studio is supported for Wireshark builds.

To build an x64 version, the -G parameter must have a Win64 suffix, e.g. -G "Visual Studio 14 2015 Win64":

> cmake -G "Visual Studio 14 2015 Win64" ..\wireshark

The CMake generation process will download the required 3rd party libraries (apart from Qt) as required, then test each library for usability before generating the build files.

At the end of the CMake generation process the following should be displayed:

-- Configuring done
-- Generating done
-- Build files have been written to: C:/Development/wsbuild32

If you get any other output, there is an issue in your envirnment that must be rectified before building. Check the parameters passed to CMake, especially the -G option and the path to the Wireshark sources and the environment variables WIRESHARK_BASE_DIR and QT5_BASE_DIR.

Now it’s time to build Wireshark!

You may also open the Wireshark solution file (Wireshark.sln) in the Visual Studio IDE and build there.

	Tip
	If compilation fails for suspicious reasons after you changed some source files try to clean the build files by running msbuild /m /p:Configuration=RelWithDebInfo Wireshark.sln /t:Clean and then building the solution again.

The build files produced by CMake will regenerate themselves if required by changes in the source tree.

You can debug using the Visual Studio Debugger or WinDbg. See the section on using the Debugger Tools.

Detailed information to build these guides can be found in the file docbook\README.adoc in the Wireshark sources.

Note: You should have successfully built Wireshark before doing the following.

If you want to build your own Wireshark-win32-2.9.0-myprotocol123.exe, you’ll need NSIS. You can download it from http://nsis.sourceforge.net.

Note that the 32-bit version of NSIS will work for both 32-bit and 64-bit versions of Wireshark. NSIS v3 is required.

Note: If you do not yet have a copy of vcredist_x86.exe or vcredist_x64.exe in ./wireshark-winXX-libs (where XX is 32 or 64) you will need to download the appropriate file and place it in ./wireshark-winXX-libs before starting this step.

If building an x86 version using a Visual Studio “Express” edition or an x64 version with any edition, then you must have the appropriate vcredist file for your compiler in the support libraries directory (vcredist_x86.exe in wireshark-32-libs or vcredist_x64.exe in wireshark-win64-libs).

The files can be located in the Visual Studio install directory for non-Express edition builds, or downloaded from Microsoft for Expresss edition builds.

Note you must use the correct version of vcredist for your compiler, unfortunately they all have the same name (vcredist_x86.exe or vcredist_x64.exe). You can use Windows Explorer and examine the ‘Properties → Details’ tab for a vcredist file to determine which compiler version the file is for use with.

If you’ve closed the Visual Studio Command Prompt prepare it again.

Run

> msbuild /m /p:Configuration=RelWithDebInfo nsis_package_prep.vcxproj
> msbuild /m /p:Configuration=RelWithDebInfo nsis_package.vcxproj

to build a Wireshark installer. If you sign your executables you should do so between the “nsis_package_prep” and “nsis_package” steps.

Run

> packaging\nsis\wireshark-win64-{wireshark-version}-myprotocol123.exe

to test your new installer. It’s a good idea to test on a different machine than the developer machine. Note that if you’ve built an x86 version, the installer name will contain “win32”.

If you need a quick look at the Wireshark source code you can browse the most recent file versions in the master branch using Gitweb:

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=tree

You can also view commit logs, branches, tags, and past revisions:

https://code.wireshark.org/review/gitweb?p=wireshark.git

Like most revision control systems, Git uses branching to manage different copies of the source code and allow parallel development. Wireshark uses the following branches for official releases:

Recommended for development purposes.

Age: a few minutes.

You can use a Git client to download the source code from Wireshark’s code review system. Anyone can clone from the anonymous git URL:

If you create a Gerrit account you can clone from an authenticated URL:

SSH lets you use Gerrit on the command line. HTTP lets you access the repository in environments that block the Gerrit SSH port (29418). At the time of this writing (early 2014) we recommend that you use the SSH interface. However, this may change as more tools take advantage of Gerrit’s HTTP REST API.

The following example shows how to get up and running on the command line. See Section 4.13, “Git client” for information on installing and configuring graphical Git and Gerrit clients.

Recommended for informational purposes only, as only individual files can be downloaded.

Age: a few minutes (same as anonymous Git access).

The entire source tree of the Git repository is available via a web interface at https://code.wireshark.org/review/gitweb?p=wireshark.git. You can view each revision of a particular file, as well as diffs between different revisions. You can also download individual files but not entire directories.

Recommended for development purposes, if direct Git access isn’t possible (e.g. because of a restrictive firewall).

Age: some number of minutes (a bit older than the Git access).

The Buildbot server will automatically start to generate a snapshot of Wireshark’s source tree after a source code change is committed. These snapshots can be found at https://www.wireshark.org/download/automated/src/.

If Git access isn’t possible, e.g. if the connection to the server isn’t possible because of a corporate firewall, the sources can be obtained by downloading the Buildbot snapshots. However, if you are going to maintain your sources in parallel to the "official" sources for some time, it’s recommended to use the anonymous (or authenticated) Git access if possible (believe it, it will save you a lot of time).

Recommended for building pristine packages.

Age: from days to weeks.

The official source releases can be found at https://www.wireshark.org/download.html. You should use these sources if you want to build Wireshark on your platform for with minimal or no changes, such Linux distribution packages.

The differences between the released sources and the sources in the Git repository will keep on growing until the next release is made. (At the release time, the released and latest Git repository versions are identical again :-).

After you clone Wireshark’s Git repository you can update by running

$ git status
$ git pull

Depending on your preferences and work habits you might want to run git pull --rebase or git checkout -b my-topic-branch origin/master instead.

Fetching should only take a few seconds, even on a slow internet connection. It will update your local repository history with changes from the official repository. If you and someone else have changed the same file since the last update, Git will try to merge the changes into your private file (this works remarkably well).

There are several ways to download the Wireshark source code (as described in Section 3.3, “Obtain the Wireshark sources”), but bringing the changes from the official sources into your personal source tree is identical.

First of all, you will download the new .tar.xz file of the official sources the way you did it the first time.

If you haven’t changed anything in the sources, you could simply throw away your old sources and reinstall everything just like the first time. But be sure, that you really haven’t changed anything. It might be a good idea to simply rename the "old" dir to have it around, just in case you remember later that you really did change something before.

If you have changed your source tree, you have to merge the official changes since the last update into your source tree. You will install the content of the .tar.xz file into a new directory and use a good merge tool (e.g. http://winmerge.sourceforge.net/for Win32) to bring your personal source tree in sync with the official sources again.

This method can be problematic and can be much more difficult and error-prone than using Git.

The recommended (and fastest) way to build Wireshark is with CMake and Ninja:

# Starting from your Wireshark source directory, create a build directory
# alongside it.
$ cd ..
$ mkdir wireshark-ninja
$ cd wireshark-ninja
# Assumes your source directory is named "wireshark".
$ cmake -G Ninja ../wireshark
$ ninja (or cmake --build .)

If you need to build with a non-standard configuration, you can run

$ cmake -LH ../wireshark

to see what options you have.

Follow the build procedure in Section 2.2.12, “Build Wireshark” to build Wireshark.

After the build process has successfully finished, you should find a Wireshark.exe and some other files in the run\RelWithDebInfo directory.

After a successful build you can run Wireshark right from the build directory. Still the program would need to know that it’s being run from the build directory and not from its install location. This has an impact on the directories where the program can find the other parts and relevant data files.

In order to run the Wireshark from the build directory set the environment variable WIRESHARK_RUN_FROM_BUILD_DIRECTORY and run Wireshark. If your platform is properly setup, your build directory and current working directory are not in your PATH, so the command line to launch Wireshark would be:

$ WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1 ./wireshark

There’s no need to run Wireshark as root user, you just won’t be able to capture. When you opt to run Wireshark this way, your terminal output can be informative when things don’t work as expected.

During the build all relevant program files are collected in a subdirectory run\RelWithDebInfo. You can run the program from there by launching the Wireshark.exe executable.

You can debug using command-line debuggers such as gdb, dbx, or lldb. If you prefer a graphic debugger, you can use the Data Display Debugger (ddd).

Additional traps can be set on GLib by setting the G_DEBUG environment variable:

$ G_DEBUG=fatal_criticals ddd wireshark

See http://library.gnome.org/devel/glib/stable/glib-running.html

You can debug using the Visual Studio Debugger or WinDbg. See the section on using the Debugger Tools.

Some tips that will make the merging of your changes into Git much more likely (and you want exactly that, don’t you?):

In general, making it easier to understand and apply your patch by one of the maintainers will make it much more likely (and faster) that it will actually be applied.

	Please remember
	Wireshark is a volunteer effort. You aren’t paying to have your code reviewed and integrated.

The core maintainers have done a lot of work fixing bugs and making code compile on the various platforms Wireshark supports.

To ensure Wireshark’s source code quality, and to reduce the workload of the core maintainers, there are some things you should think about before submitting a patch.

	Pay attention to the coding guidelines
	Ignoring the code requirements will make it very likely that your patch will be rejected.

When you’re satisfied with your changes (and obtained any necessary approval from your organization) you can upload them for review at https://code.wireshark.org/review. This requires a Gerrit Code Review account as described at Section 3.2, “The Wireshark Git repository”.

Changes should be pushed to a magical "refs/for" branch in Gerrit. For example, to upload your new Snowcone Machine Protocol dissector you could push to refs/for/master with the topic "snowcone-machine":

$ git push ssh://my.username@code.wireshark.org:29418/wireshark HEAD:refs/for/master/snowcone-machine

The username my.username is the one which was given during registration with the review system.

If you have git-review installed you can upload the change with a lot less typing:

# Note: The "-f" flag deletes your current branch.
$ git review -f

You can push using any Git client. Many clients have support for Gerrit, either built in or via an additional module.

You might get one of the following responses to your patch request:

If you’re concerned, feel free to add a comment to the patch or send an email to the developer’s list asking for status. But please be patient: most if not all of us do this in our spare time.

When a bug is fixed in the master branch it might be desirable or necessary to backport the fix to a stable branch. You can do this in Git by cherry-picking the change from one branch to another. Suppose you want to backport change 1ab2c3d4 from the master branch to master-1.10. Using "pure Git" commands you would do the following:

# Create a new topic branch for the backport.
$ git checkout -b backport-g1ab2c3d4 origin/master-1.10

# Cherry-pick the change. Include a "cherry picked from..." line.
$ git cherry-pick -x 1ab2c3d4

# If there are conflicts, fix them.

# Compile and test the change.
$ make
$ ...

# OPTIONAL: Add entries to docbook/release-notes.asciidoc.
$ $EDITOR docbook/release-notes.asciidoc

# If you made any changes, update your commit:
$ git commit --amend -a

# Upload the change to Gerrit
$ git push ssh://my.username@code.wireshark.org:29418/wireshark HEAD:refs/for/master-1.10/backport-g1ab2c3d4

If you want to cherry-pick a Gerrit change ID (e.g. I5e6f7890) you can use git review -X I5e6f7890 instead of git cherry-pick and git review instead of git push as described in the previous chapter.

Given the file new.diff containing a unified diff, the right way to call the patch tool depends on what the pathnames in new.diff look like. If they’re relative to the top-level source directory (for example, if a patch to prefs.c just has prefs.c as the file name) you’d run it as:

$ patch -p0 < new.diff

If they’re relative to a higher-level directory, you’d replace 0 with the number of higher-level directories in the path, e.g. if the names are wireshark.orig/prefs.c and wireshark.mine/prefs.c, you’d run it with:

$ patch -p1 < new.diff

If they’re relative to a subdirectory of the top-level directory, you’d run patch in that directory and run it with -p0.

If you run it without -pat all, the patch tool flattens path names, so that if you have a patch file with patches to CMakeLists.txt and wiretap/CMakeLists.txt, it’ll try to apply the first patch to the top-level CMakeLists.txt and then apply the wiretap/CMakeLists.txt patch to the top-level CMakeLists.txt as well.

At which position in the filesystem should the patch tool be called?

If the pathnames are relative to the top-level source directory, or to a directory above that directory, you’d run it in the top-level source directory.

If they’re relative to a subdirectory — for example, if somebody did a patch to packet-ip.c and ran diff or git diff in the epan/dissectors directory — you’d run it in that subdirectory. It is preferred that people not submit patches like that, especially if they’re only patching files that exist in multiple directories such as CMakeLists.txt.

The Debian Package is built using dpkg-buildpackage, based on information found in the source tree under debian. See http://www.debian-administration.org/articles/336 for a more in-depth discussion of the build process.

In the wireshark directory, type:

$ dpkg-buildpackage -rfakeroot -us -uc

to build the Debian Package.

You can build an RPM package using the rpm-package target. The package version is derived from the current git HEAD, so you must build from a git checkout.

The package is built using rpmbuild, which comes as standard on many flavours of Linux, including Red Hat, Fedora, and openSUSE. The process creates a clean build environment in ${CMAKE_BINARY_DIR}/packaging/rpm/BUILD each time the RPM is built. The settings that control the build are in ${CMAKE_SOURCE_DIR}/packaging/rpm/wireshark.spec.in. The generated SPEC file contains CMake flags and other settings for the RPM build environment. Many of these come from the parent CMake environment. Notable ones are:

In your build directory, type:

$ ninja rpm-package
# ...or, if you're using GNU make...
$ make rpm-package

to build the binary and source RPMs. When it is finished there will be a message stating where the built RPM can be found.

	This might take a while
	This creates a tarball, extracts it, compiles Wireshark, and constructs a package. This can take quite a long time. You can speed up the process by using Ninja. If you’re using GNU make you can add the following to your ~/.rpmmacros file to enable parallel builds: %_smp_mflags -j %(grep -c processor /proc/cpuinfo)

Building the RPM package requires quite a few packages and libraries including GLib, gcc, bison, flex, Asciidoctor, and Qt development tools such as uic and moc. The required Qt packages can usually be obtained by installing the qt5-devel package. For a complete list of build requirements, look for the “BuildRequires” lines in packaging/rpm/wireshark.spec.in.

The macOS Package is built using macOS packaging tools, based on information found in the source tree under packaging/macosx. It must be built using CMake. In your build directory, type:

$ make dmg_package

to build the macOS Package.

The Nullsoft Install System is a free installer generator for Windows systems. Instructions on installing it can be found in Section 4.17, “Windows: NSIS (optional)”. NSIS is script based. You can find the main Wireshark installer generation script at packaging/nsis/wireshark.nsi.

When building with CMake you must first build the nsis_package_prep target, followed by the nsis_package target, e.g.

> msbuild /m /p:Configuration=RelWithDebInfo nsis_package_prep.vcxproj
> msbuild /m /p:Configuration=RelWithDebInfo nsis_package.vcxproj

Splitting the packaging projects in this way allows for code signing.

	This might take a while
	Please be patient while the package is compressed. It might take some time, even on fast machines.

If everything went well, you will now find something like: wireshark-setup-2.9.0.exe in the packaging/nsis directory in your build directory.

PortableApps.com is an environment that lets users run popular applications from portable media such as flash drives and cloud drive services.

Install the PortableApps.com Platform. Install for “all users”, which will place it in C:\PortableApps. Add the following apps:

When building with CMake you must first build the nsis_package_prep target (which takes care of general packaging dependencies), followed by the portableapps_package target, e.g.

> msbuild /m /p:Configuration=RelWithDebInfo nsis_package_prep.vcxproj
> msbuild /m /p:Configuration=RelWithDebInfo portableapps_package.vcxproj

	This might take a while
	Please be patient while the package is compressed. It might take some time, even on fast machines.

If everything went well, you will now find something like: WiresharkPortable2.9.0.paf.exe_ in the packaging/portableapps directory.

The GCC C compiler is available for most of the UNIX-like platforms.

If GCC isn’t already installed or available as a package for your platform, you can get it at: http://gcc.gnu.org/.

After correct installation, typing at the bash command line prompt:

$ gcc --version

should result in something like

gcc (Ubuntu 4.9.1-16ubuntu6) 4.9.1
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Your version string may vary, of course.

GDB is the debugger for the GCC compiler. It is available for many (if not all) UNIX-like platforms.

If you don’t like debugging using the command line there are some GUI frontends for it available, most notably GNU DDD.

If gdb isn’t already installed or available as a package for your platform, you can get it at: http://www.gnu.org/software/gdb/gdb.html.

After correct installation:

$ gdb --version

should result in something like:

GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".

Your version string may vary, of course.

The GNU Data Display Debugger is a good GUI frontend for GDB (and a lot of other command line debuggers), so you have to install GDB first. It is available for many UNIX-like platforms.

If GNU DDD isn’t already installed or available as a package for your platform, you can get it at: http://www.gnu.org/software/ddd/.

	GNU make isn’t supported either for Windows
	GNU Make is available for most of the UNIX-like platforms.

If GNU Make isn’t already installed or available as a package for your platform, you can get it at: http://www.gnu.org/software/make/.

After correct installation:

$ make --version

should result in something like:

GNU Make 4.0
Built for x86_64-pc-linux-gnu
Copyright (C) 1988-2013 Free Software Foundation, Inc.
Licence GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Your version string may vary, of course.

The official Wireshark 2.4.x releases are compiled using Microsoft Visual C++ 2015. The Wireshark 2.2.x and 2.0.x releases are compiled using Microsoft Visual C++ 2013. The Wireshark 1.12.x and 1.10.x releases were compiled using Microsoft Visual C++ 2010 SP1. The 1.8 releases were compiled using Microsoft Visual C++ 2010 SP1 as well. The 1.6, 1.4, and 1.2 releases were compiled using Microsoft Visual C++ 2008 SP1. Other past releases, including the 1.0 branch, were compiled using Microsoft Visual C++ 6.0.

Using the release compilers is recommended for Wireshark development work.

The older "Express Edition" compilers such as Visual C++ 2010 Express Edition SP1 can be used but any PortableApps packages you create with them will require the installation of a separate Visual C++ Redistributable package on any machine on which the PortableApps package is to be used. See Section 4.6.4, “C-Runtime "Redistributable" Files” below for more details.

However, you might already have a different Microsoft C++ compiler installed. It should be possible to use any of the following with the considerations listed:

CMake Generator: Visual Studio 12

CMake Generator: Visual Studio 10

CMake Generator: Visual Studio 10

You can use Chocolatey to install Visual Studio, e.g:

PS:\> choco install VisualStudioCommunity2013

The following table gives an overview of the possible Microsoft toolchain variants and their specific C compiler versions ordered by release date.

After correct installation of the toolchain, typing at the Visual Studio Command line prompt (cmd.exe):

> cl

should result in something like:

Microsoft (R) C/{cpp} Optimizing Compiler Version 18.00.31101 for x86
Copyright (C) Microsoft Corporation.  All rights reserved.

usage: cl [ option... ] filename... [ /link linkoption...

However, the version string may vary.

Documentation on the compiler can be found at Microsoft MSDN

After correct installation, typing at the Visual Studio Command line prompt (cmd.exe):

> link

should result in something like:

Microsoft (R) Incremental Linker Version 12.00.31101.0
Copyright (C) Microsoft Corporation.  All rights reserved.

 usage: LINK [options] [files] [@commandfile]
 ...

However, the version string may vary.

Documentation on the linker can be found at Microsoft MSDN

Please note: The following is not legal advice - ask your preferred lawyer instead. It’s the authors view and this view might be wrong.

Depending on the Microsoft compiler version you use, some binary files coming from Microsoft might be required to be installed on Windows machine to run Wireshark. On a developer machine, the compiler setup installs these files so they are available - but they might not be available on a user machine!

This is especially true for the C runtime DLL (msvcr*.dll), which contains the implementation of ANSI and alike functions, e.g.: fopen(), malloc(). The DLL is named like: msvcrversion.dll, an abbreviation for "Microsoft Visual C Runtime". For Wireshark to work, this DLL must be available on the users machine.

Starting with MSVC7, it is necessary to ship the C runtime DLL (msvcrversion.dll) together with the application installer somehow, as that DLL is possibly not available on the target system.

	Make sure you’re allowed to distribute this file
	The files to redistribute must be mentioned in the redist.txt file of the compiler package. Otherwise it can’t be legally redistributed by third parties like us.

The following MSDN link is recommended for the interested reader:

In all cases where vcredist_x86.exe or vcredist_x64.exe is downloaded it should be downloaded to the directory into which the support libraries for Wireshark have been downloaded and installed. This directory is specified by the WIRESHARK_BASE_DIR or WIRESHARK_LIB_DIR environment variables. It need not, and should not, be run after being downloaded.

The Windows Platform SDK (PSDK) or Windows SDK is a free (as in beer) download and contains platform specific headers and libraries (e.g. windows.h, WSock32.lib, etc.). As new Windows features evolve in time, updated SDK’s become available that include new and updated APIs.

When you purchase a commercial Visual Studio or use the Community Edition, it will include an SDK. The free Express (as in beer) downloadable C compiler versions (VC++ 2012 Express, VC++ 2012 Express, etc.) do not contain an SDK — you’ll need to download a PSDK in order to have the required C header files and libraries.

Older versions of the SDK should also work. However, the command to set the environment settings will be different, try search for SetEnv.* in the SDK directory.

Asciidoctor[https://asciidoctor.org/] comes in several flavors: a Ruby gem (Asciidoctor), a Java bundle (AsciidoctorJ), and transpiled JavaScript (Asciidoctor.js). Only the Asciidoctor and AsciidoctorJ flavors are supported for building the Wireshark documentation and AsciidoctorJ is recommended.

The guides and release notes were originally written in DocBook (hence the directory name). They were later converted to AsciiDoc and then migrated to Asciidoctor. compat-mode[https://asciidoctor.org/docs/migration/] is currently enabled for the guides, but we are steadily migrating to Asciidoctor’s modern (>= 1.5.0) syntax.

PDF output requires Asciidoctor PDF. It is included with AsciidoctorJ but not with Asciidoctor.

The single HTML, chunked HTML, and HTML Help guides are generated using DocBook XSL stylesheets. They in turn require an XSLT processor. We use xsltproc.

HTML Help is used to create the User’s and Developer’s Guide in .chm format. The User’s Guide .chm file is included with the NSIS and WiX installers and is used as Wireshark’s built-in help on Windows.

This compiler is used to generate a .chm file from a bunch of HTML files — in our case to generate the User’s and Developer’s Guide in .chm format.

The compiler is only available as the free (as in beer) "HTML Help Workshop" download. If you want to compile the guides yourself, you need to download and install this. If you don’t install it into the default directory, you may also have a look at the HHC_DIR setting in the file docbook/Makefile.

The files htmlhelp.c and htmlhelp.lib are required to be able to open .chm files from Wireshark and show the online help. Both files are part of the SDK (standalone (P)SDK or MSVC since 2002).

Using a good debugger can save you a lot of development time.

The debugger you use must match the C compiler Wireshark was compiled with, otherwise the debugger will simply fail or you will only see a lot of garbage.

4.7.4.1. Visual Studio integrated debugger

You can use the integrated debugger of Visual Studio if your toolchain includes it. Open the solution in your build directory and build and debug as normal with a Visual Studio solution.

To set the correct paths for Visual Studio when running Wireshark under the debugger, add the build output directory to the path before opening Visual Studio from the same command prompt, e.g.

C:\Development\wsbuild32>set PATH="%PATH%;C:\Development\wsbuild32\run\RelwithDebInfo"
C:\Development\wsbuild32>wireshark.sln

for PowerShell use

PS C:\Development\wsbuild32>$env:PATH += ";$(Convert-Path run\RelWithDebInfo)"
PS C:\Development\wsbuild32>wireshark.sln

When Visual Studio has finished loading the solution, set the executable to be run in the debugger, e.g. Executables\Wireshark, by right clicking it in the Solution Explorer window and selecting "Set as StartUp Project". Also set the Solution Configuration (usually RelWithDebInfo) from the droplist on the toolbar.

	Note
	Currently Visual Studio regards a command line build as incomplete, so will report that some items need to be built when starting the debugger. These can either be rebuilt or ignored as you wish.

The normal build is an optimised release version so debugging can be a bit difficult as variables are optimised out into registers and the execution order of statements can jump around.

If you require a non-optimised version, then build using a debug configuration.

PS:\> choco install windbg

Bash (the GNU Bourne-Again SHell) is available for most UNIX and UNIX-like platforms. If it isn’t already installed or available as a package for your platform, you can get it at http://www.gnu.org/software/bash/bash.html.

After correct installation, typing at the bash command line prompt:

$ bash --version

should result in something like:

GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2016 Free Software Foundation, Inc.

Your version string will likely vary.

Perl is available for most UNIX and UNIX-like platforms. If perl isn’t already installed or available as a package for your platform, you can get it at http://www.perl.com/.

After correct installation, typing at the bash command line prompt:

$ perl --version

should result in something like:

This is perl 5, version 26, subversion 0 (v5.26.0) built for x86_64-linux-gnu-thread-multi
(with 62 registered patches, see perl -V for more detail)

Copyright 1987-2017, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.

However, the version string may vary.

A native Windows Perl package can be obtained from Active State or Strawberry Perl. The installation should be straightforward.

You may also use Chocolatey to install either package:

PS:\> choco install ActivePerl

or

PS:\> choco install StrawberryPerl

After correct installation, typing at the command line prompt (cmd.exe):

> perl -v

should result in something like:

This is perl, v5.8.0 built for MSWin32-x86-multi-thread
(with 1 registered patch, see perl -V for more detail)

Copyright 1987-2002, Larry Wall

Binary build 805 provided by ActiveState Corp. http://www.ActiveState.com
Built 18:08:02 Feb  4 2003
...

However, the version string may vary.

Bison is available for most UNIX and UNIX-like platforms. See the next section for native Windows options.

If GNU Bison isn’t already installed or available as a package for your platform you can get it at: http://www.gnu.org/software/bison/bison.html.

After correct installation running the following

$ bison --version

should result in something like:

bison (GNU Bison) 2.3
Written by Robert Corbett and Richard Stallman.

Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Your version string may vary.

A native Windows version of bison is available in the winflexbison Chocolatey package. Note that the executable is named win_bison.

Native packages are available from other sources such as GnuWin and Cygwin. They aren’t officially supported but should work.

Flex is available for most UNIX and UNIX-like platforms. See the next section for native Windows options.

If GNU flex isn’t already installed or available as a package for your platform you can get it at http://www.gnu.org/software/flex/.

After correct installation running the following

$ flex --version

should result in something like:

flex version 2.5.4

Your version string may vary.

A native Windows version of flex is available in the winflexbison Chocolatey package. Note that the executable is named win_flex.

PS:\>choco install winflexbison

Native packages are available from other sources such as GnuWin. They aren’t officially supported but should work.

Git is available for most UNIX and UNIX-like platforms. If Git isn’t already installed or available as a package for your platform, you can get it at: http://git-scm.com/.

After correct installation, typing at the bash command line prompt:

$ git --version

should result in something like:

git version 2.14.1

Your version will likely be different.

The Git command line tools for Windows can be found at http://git-scm.com/download/win and can also be installed using Chocolatey:

PS:\> choco install git

After correct installation, typing at the command line prompt (cmd.exe):

> git --version

should result in something like:

git version 2.16.1.windows.1

However, the version string may vary.

Patch is available for most UNIX and UNIX-like platforms. If GNU patch isn’t already installed or available as a package for your platform, you can get it at http://www.gnu.org/software/patch/patch.html.

After correct installation, typing at the bash command line prompt:

$ patch --version

should result in something like:

patch 2.5.8
Copyright (C) 1988 Larry Wall
Copyright (C) 2002 Free Software Foundation, Inc.

This program comes with NO WARRANTY, to the extent permitted by law.
You may redistribute copies of this program
under the terms of the GNU General Public License.
For more information about these matters, see the file named COPYING.

written by Larry Wall and Paul Eggert

However, the version string may vary.

The Windows native Git tools provide patch. A native Windows patch package can be obtained from http://gnuwin32.sourceforge.net/. The installation should be straightforward.

If you have installed unix binary libraries on your system, they will match the C compiler. If not already installed, the libraries should be available as a package from the platform installer, or you can download and compile the source and then install the binaries.

Most of the Win32 binary libraries you will find on the web are in this format. You will recognize MSVC libraries by the .lib/.dll file extension.

Most Linux distributions provide Qt and its development libraries as standard packages. The required libraries and tools will likely be split across several packages. For example, building on Ubuntu requires qttools5-dev, qttools5-dev-tools, libqt5svg5-dev, qtmultimedia5-dev, and possibly others.

The Qt Project provides an installation tool for macOS, similar to Windows. It is available at https://www.qt.io/download-open-source/#section-2.

Qt5 must be installed manually from the Qt installers page https://www.qt.io/download-open-source/#section-2 using the version of Qt appropriate for your compiler. Note that separate installations (into different directories) of Qt are required for 32 bit and 64 bit builds. The environment variable QT5_BASE_DIR should be set as appropriate for your environment and should point to the Qt directory that contains the bin directory, e.g. C:\Qt\5.9.5\msvc2017_64.

The GLib library is available for most Linux distributions and UNIX flavors. If it isn’t already installed and isn’t available as a package for your platform, you can get it at http://www.gtk.org/download.html.

You can get the latest version at http://www.gtk.org/download.html.

If this library isn’t already installed or available as a package for your platform, you can get it at http://www.ibr.cs.tu-bs.de/projects/libsmi/.

Wireshark uses the source libSMI distribution at http://www.ibr.cs.tu-bs.de/projects/libsmi/. LibSMI is cross-compiled using MinGW32. It’s stored in the libsmi zip archive at https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/.

If this library isn’t already installed or available as a package for your platform, you can get it at http://c-ares.haxx.se/.

C-Ares is cross-compiled using MinGW32 and is available at https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/.

This library is almost certain to be installed on your system. If it isn’t or you don’t want to use the default library you can download it from http://www.zlib.net/.

The zlib sources are downloaded from https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/ and compiled locally.

If this library isn’t already installed or available as a package for your platform, you can get it at http://www.tcpdump.org/.

You can get the “Windows packet capture library” at: https://www.winpcap.org/install/

If this library isn’t already installed or available as a package for your platform, you can get it at https://www.gnu.org/software/gnutls/download.html.

We provide a package cross-compiled using MinGW32 at https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/.

If this library isn’t already installed or available as a package for your platform, you can get it at https://directory.fsf.org/wiki/Libgcrypt.

Part of our GnuTLS package.

If this library isn’t already installed or available as a package for your platform, you can get it at http://web.mit.edu/Kerberos/dist/.

We provide a package at https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/.

If this library isn’t already installed or available as a package for your platform, you can get it at http://www.lua.org/download.html.

We provide a copy of the official package at https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/.

We provide a copy of the WinSparkle package at https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/.

The first decision you need to make is if this dissector will be a built-in dissector, included in the main program, or a plugin.

Plugins are the easiest to write initially, so let’s start with that. With a little care, the plugin can be made to run as a built-in easily too so we haven’t lost anything.

#include "config.h"

#include <epan/packet.h>

#define FOO_PORT 1234

static int proto_foo = -1;


void
proto_register_foo(void)
{
    proto_foo = proto_register_protocol (
        "FOO Protocol", /* name       */
        "FOO",      /* short name */
        "foo"       /* abbrev     */
        );
}

Let’s go through this a bit at a time. First we have some boilerplate include files. These will be pretty constant to start with.

Next we have an int that is initialised to -1 that records our protocol. This will get updated when we register this dissector with the main program. It’s good practice to make all variables and functions that aren’t exported static to keep name space pollution down. Normally this isn’t a problem unless your dissector gets so big it has to span multiple files.

Then a #define for the UDP port that carries foo traffic.

Now that we have the basics in place to interact with the main program, we’ll start with two protocol dissector setup functions.

First we’ll call proto_register_protocol() which registers the protocol. We can give it three names that will be used for display in various places. The full and short name are used in e.g. the "Preferences" and "Enabled protocols" dialogs as well as the generated field name list in the documentation. The abbreviation is used as the display filter name.

Next we need a handoff routine.

void
proto_reg_handoff_foo(void)
{
    static dissector_handle_t foo_handle;

    foo_handle = create_dissector_handle(dissect_foo, proto_foo);
    dissector_add_uint("udp.port", FOO_PORT, foo_handle);
}

What’s happening here? We are initialising the dissector. First we create a dissector handle; It is associated with the foo protocol and with a routine to be called to do the actual dissecting. Then we associate the handle with a UDP port number so that the main program will know to call us when it gets UDP traffic on that port.

The standard Wireshark dissector convention is to put proto_register_foo() and proto_reg_handoff_foo() as the last two functions in the dissector source.

Now at last we get to write some dissecting code. For the moment we’ll leave it as a basic placeholder.

static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *data _U_)
{
    col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO");
    /* Clear out stuff in the info column */
    col_clear(pinfo->cinfo,COL_INFO);

    return tvb_captured_length(tvb);
}

This function is called to dissect the packets presented to it. The packet data is held in a special buffer referenced here as tvb. We shall become fairly familiar with this as we get deeper into the details of the protocol. The packet info structure contains general data about the protocol, and we can update information here. The tree parameter is where the detail dissection takes place.

For now we’ll do the minimum we can get away with. In the first line we set the text of this to our protocol, so everyone can see it’s being recognised. The only other thing we do is to clear out any data in the INFO column if it’s being displayed.

At this point we should have a basic dissector ready to compile and install. It doesn’t do much at present, other than identify the protocol and label it.

In order to compile this dissector and create a plugin a couple of support files are required, besides the dissector source in packet-foo.c:

You can find a good example for these files in the gryphon plugin directory. CMakeLists.txt has to be modified with the correct plugin name and version info, along with the relevant files to compile. In the main top-level source directory, copy CMakeListsCustom.txt.example to CMakeListsCustom.txt and add the path of your plugin to the list in CUSTOM_PLUGIN_SRC_DIR.

Compile the dissector to a DLL or shared library and either run Wireshark from the build directory as detailed in Section 3.6, “Run generated Wireshark” or copy the plugin binary into the plugin directory of your Wireshark installation and run that.

Now that we have our basic dissector up and running, let’s do something with it. The simplest thing to do to start with is to just label the payload. This will allow us to set up some of the parts we will need.

The first thing we will do is to build a subtree to decode our results into. This helps to keep things looking nice in the detailed display.

static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{

    col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO");
    /* Clear out stuff in the info column */
    col_clear(pinfo->cinfo,COL_INFO);

    proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);

    return tvb_captured_length(tvb);
}

What we’re doing here is adding a subtree to the dissection. This subtree will hold all the details of this protocol and so not clutter up the display when not required.

We are also marking the area of data that is being consumed by this protocol. In our case it’s all that has been passed to us, as we’re assuming this protocol does not encapsulate another. Therefore, we add the new tree node with proto_tree_add_item(), adding it to the passed in tree, label it with the protocol, use the passed in tvb buffer as the data, and consume from 0 to the end (-1) of this data. ENC_NA ("not applicable") is specified as the "encoding" parameter.

After this change, there should be a label in the detailed display for the protocol, and selecting this will highlight the remaining contents of the packet.

Now let’s go to the next step and add some protocol dissection. For this step we’ll need to construct a couple of tables that help with dissection. This needs some additions to the proto_register_foo() function shown previously.

Two statically allocated arrays are added at the beginning of proto_register_foo(). The arrays are then registered after the call to proto_register_protocol().

void
proto_register_foo(void)
{
    static hf_register_info hf[] = {
        { &hf_foo_pdu_type,
            { "FOO PDU Type", "foo.type",
            FT_UINT8, BASE_DEC,
            NULL, 0x0,
            NULL, HFILL }
        }
    };

    /* Setup protocol subtree array */
    static gint *ett[] = {
        &ett_foo
    };

    proto_foo = proto_register_protocol (
        "FOO Protocol", /* name       */
        "FOO",      /* short name */
        "foo"       /* abbrev     */
        );

    proto_register_field_array(proto_foo, hf, array_length(hf));
    proto_register_subtree_array(ett, array_length(ett));
}

The variables hf_foo_pdu_type and ett_foo also need to be declared somewhere near the top of the file.

static int hf_foo_pdu_type = -1;

static gint ett_foo = -1;

Now we can enhance the protocol display with some detail.

    proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);
    proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo);
    proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, 0, 1, ENC_BIG_ENDIAN);

Now the dissection is starting to look more interesting. We have picked apart our first bit of the protocol. One byte of data at the start of the packet that defines the packet type for foo protocol.

The proto_item_add_subtree() call has added a child node to the protocol tree which is where we will do our detail dissection. The expansion of this node is controlled by the ett_foo variable. This remembers if the node should be expanded or not as you move between packets. All subsequent dissection will be added to this tree, as you can see from the next call. A call to proto_tree_add_item() in the foo_tree, this time using the hf_foo_pdu_type to control the formatting of the item. The pdu type is one byte of data, starting at 0. We assume it is in network order (also called big endian), so that is why we use ENC_BIG_ENDIAN. For a 1-byte quantity, there is no order issue, but it is good practice to make this the same as any multibyte fields that may be present, and as we will see in the next section, this particular protocol uses network order.

If we look in detail at the hf_foo_pdu_type declaration in the static array we can see the details of the definition.

We’ll ignore the rest of the structure for now.

If you install this plugin and try it out, you’ll see something that begins to look useful.

Now let’s finish off dissecting the simple protocol. We need to add a few more variables to the hfarray, and a couple more procedure calls.

...
static int hf_foo_flags = -1;
static int hf_foo_sequenceno = -1;
static int hf_foo_initialip = -1;
...

static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
    gint offset = 0;

    ...
    proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);
    proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo);
    proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN);
    offset += 1;
    proto_tree_add_item(foo_tree, hf_foo_flags, tvb, offset, 1, ENC_BIG_ENDIAN);
    offset += 1;
    proto_tree_add_item(foo_tree, hf_foo_sequenceno, tvb, offset, 2, ENC_BIG_ENDIAN);
    offset += 2;
    proto_tree_add_item(foo_tree, hf_foo_initialip, tvb, offset, 4, ENC_BIG_ENDIAN);
    offset += 4;
    ...

    return tvb_captured_length(tvb);
}

void
proto_register_foo(void) {
    ...
        ...
        { &hf_foo_flags,
            { "FOO PDU Flags", "foo.flags",
            FT_UINT8, BASE_HEX,
            NULL, 0x0,
            NULL, HFILL }
        },
        { &hf_foo_sequenceno,
            { "FOO PDU Sequence Number", "foo.seqn",
            FT_UINT16, BASE_DEC,
            NULL, 0x0,
            NULL, HFILL }
        },
        { &hf_foo_initialip,
            { "FOO PDU Initial IP", "foo.initialip",
            FT_IPv4, BASE_NONE,
            NULL, 0x0,
            NULL, HFILL }
        },
        ...
    ...
}
...

This dissects all the bits of this simple hypothetical protocol. We’ve introduced a new variable offsetinto the mix to help keep track of where we are in the packet dissection. With these extra bits in place, the whole protocol is now dissected.

We can certainly improve the display of the protocol with a bit of extra data. The first step is to add some text labels. Let’s start by labeling the packet types. There is some useful support for this sort of thing by adding a couple of extra things. First we add a simple table of type to name.

static const value_string packettypenames[] = {
    { 1, "Initialise" },
    { 2, "Terminate" },
    { 3, "Data" },
    { 0, NULL }
};

This is a handy data structure that can be used to look up a name for a value. There are routines to directly access this lookup table, but we don’t need to do that, as the support code already has that added in. We just have to give these details to the appropriate part of the data, using the VALS macro.

   { &hf_foo_pdu_type,
        { "FOO PDU Type", "foo.type",
        FT_UINT8, BASE_DEC,
        VALS(packettypenames), 0x0,
        NULL, HFILL }
    }

This helps in deciphering the packets, and we can do a similar thing for the flags structure. For this we need to add some more data to the table though.

#define FOO_START_FLAG 0x01
#define FOO_END_FLAG        0x02
#define FOO_PRIORITY_FLAG   0x04

static int hf_foo_startflag = -1;
static int hf_foo_endflag = -1;
static int hf_foo_priorityflag = -1;

static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
    ...
        ...
        proto_tree_add_item(foo_tree, hf_foo_flags, tvb, offset, 1, ENC_BIG_ENDIAN);
        proto_tree_add_item(foo_tree, hf_foo_startflag, tvb, offset, 1, ENC_BIG_ENDIAN);
        proto_tree_add_item(foo_tree, hf_foo_endflag, tvb, offset, 1, ENC_BIG_ENDIAN);
        proto_tree_add_item(foo_tree, hf_foo_priorityflag, tvb, offset, 1, ENC_BIG_ENDIAN);
        offset += 1;
        ...
    ...
    return tvb_captured_length(tvb);
}

void
proto_register_foo(void) {
    ...
        ...
        { &hf_foo_startflag,
            { "FOO PDU Start Flags", "foo.flags.start",
            FT_BOOLEAN, 8,
            NULL, FOO_START_FLAG,
            NULL, HFILL }
        },
        { &hf_foo_endflag,
            { "FOO PDU End Flags", "foo.flags.end",
            FT_BOOLEAN, 8,
            NULL, FOO_END_FLAG,
            NULL, HFILL }
        },
        { &hf_foo_priorityflag,
            { "FOO PDU Priority Flags", "foo.flags.priority",
            FT_BOOLEAN, 8,
            NULL, FOO_PRIORITY_FLAG,
            NULL, HFILL }
        },
        ...
    ...
}
...

Some things to note here. For the flags, as each bit is a different flag, we use the type FT_BOOLEAN, as the flag is either on or off. Second, we include the flag mask in the 7th field of the data, which allows the system to mask the relevant bit. We’ve also changed the 5th field to 8, to indicate that we are looking at an 8 bit quantity when the flags are extracted. Then finally we add the extra constructs to the dissection routine. Note we keep the same offset for each of the flags.

This is starting to look fairly full featured now, but there are a couple of other things we can do to make things look even more pretty. At the moment our dissection shows the packets as "Foo Protocol" which whilst correct is a little uninformative. We can enhance this by adding a little more detail. First, let’s get hold of the actual value of the protocol type. We can use the handy function tvb_get_guint8() to do this. With this value in hand, there are a couple of things we can do. First we can set the INFO column of the non-detailed view to show what sort of PDU it is - which is extremely helpful when looking at protocol traces. Second, we can also display this information in the dissection window.

static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
    gint offset = 0;
    guint8 packet_type = tvb_get_guint8(tvb, 0);

    col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO");
    /* Clear out stuff in the info column */
    col_clear(pinfo->cinfo,COL_INFO);
    col_add_fstr(pinfo->cinfo, COL_INFO, "Type %s",
             val_to_str(packet_type, packettypenames, "Unknown (0x%02x)"));

    proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);
    proto_item_append_text(ti, ", Type %s",
        val_to_str(packet_type, packettypenames, "Unknown (0x%02x)"));
    proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo);
    proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN);
    offset += 1;

    return tvb_captured_length(tvb);
}

So here, after grabbing the value of the first 8 bits, we use it with one of the built-in utility routines val_to_str(), to lookup the value. If the value isn’t found we provide a fallback which just prints the value in hex. We use this twice, once in the INFO field of the columns — if it’s displayed, and similarly we append this data to the base of our dissecting tree.

As an example, let’s examine a protocol that is layered on top of UDP that splits up its own data stream. If a packet is bigger than some given size, it will be split into chunks, and somehow signaled within its protocol.

To deal with such streams, we need several things to trigger from. We need to know that this packet is part of a multi-packet sequence. We need to know how many packets are in the sequence. We also need to know when we have all the packets.

For this example we’ll assume there is a simple in-protocol signaling mechanism to give details. A flag byte that signals the presence of a multi-packet sequence and also the last packet, followed by an ID of the sequence and a packet sequence number.

msg_pkt ::= SEQUENCE {
    .....
    flags ::= SEQUENCE {
        fragment    BOOLEAN,
        last_fragment   BOOLEAN,
    .....
    }
    msg_id  INTEGER(0..65535),
    frag_id INTEGER(0..65535),
    .....
}

#include <epan/reassemble.h>
   ...
save_fragmented = pinfo->fragmented;
flags = tvb_get_guint8(tvb, offset); offset++;
if (flags & FL_FRAGMENT) { /* fragmented */
    tvbuff_t* new_tvb = NULL;
    fragment_data *frag_msg = NULL;
    guint16 msg_seqid = tvb_get_ntohs(tvb, offset); offset += 2;
    guint16 msg_num = tvb_get_ntohs(tvb, offset); offset += 2;

    pinfo->fragmented = TRUE;
    frag_msg = fragment_add_seq_check(msg_reassembly_table,
        tvb, offset, pinfo,
        msg_seqid, NULL, /* ID for fragments belonging together */
        msg_num, /* fragment sequence number */
        tvb_captured_length_remaining(tvb, offset), /* fragment length - to the end */
        flags & FL_FRAG_LAST); /* More fragments? */

We start by saving the fragmented state of this packet, so we can restore it later. Next comes some protocol specific stuff, to dig the fragment data out of the stream if it’s present. Having decided it is present, we let the function fragment_add_seq_check() do its work. We need to provide this with a certain amount of parameters:

    new_tvb = process_reassembled_data(tvb, offset, pinfo,
        "Reassembled Message", frag_msg, &msg_frag_items,
        NULL, msg_tree);

    if (frag_msg) { /* Reassembled */
        col_append_str(pinfo->cinfo, COL_INFO,
                " (Message Reassembled)");
    } else { /* Not last packet of reassembled Short Message */
        col_append_fstr(pinfo->cinfo, COL_INFO,
                " (Message fragment %u)", msg_num);
    }

    if (new_tvb) { /* take it all */
        next_tvb = new_tvb;
    } else { /* make a new subset */
        next_tvb = tvb_new_subset_remaining(tvb, offset);
    }
}
else { /* Not fragmented */
    next_tvb = tvb_new_subset_remaining(tvb, offset);
}

.....
pinfo->fragmented = save_fragmented;

Having passed the fragment data to the reassembly handler, we can now check if we have the whole message. If there is enough information, this routine will return the newly reassembled data buffer.

After that, we add a couple of informative messages to the display to show that this is part of a sequence. Then a bit of manipulation of the buffers and the dissection can proceed. Normally you will probably not bother dissecting further unless the fragments have been reassembled as there won’t be much to find. Sometimes the first packet in the sequence can be partially decoded though if you wish.

Now the mysterious data we passed into the fragment_add_seq_check().

static reassembly_table reassembly_table;

static void
proto_register_msg(void)
{
    reassembly_table_register(&msg_reassemble_table,
        &addresses_ports_reassembly_table_functions);
}

First a reassembly_table structure is declared and initialised in the protocol initialisation routine. The second parameter specifies the functions that should be used for identifying fragments. We will use addresses_ports_reassembly_table_functions in order to identify fragments by the given sequence number (msg_seqid), the source and destination addresses and ports from the packet.

Following that, a fragment_items structure is allocated and filled in with a series of ett items, hf data items, and a string tag. The ett and hf values should be included in the relevant tables like all the other variables your protocol may use. The hf variables need to be placed in the structure something like the following. Of course the names may need to be adjusted.

...
static int hf_msg_fragments = -1;
static int hf_msg_fragment = -1;
static int hf_msg_fragment_overlap = -1;
static int hf_msg_fragment_overlap_conflicts = -1;
static int hf_msg_fragment_multiple_tails = -1;
static int hf_msg_fragment_too_long_fragment = -1;
static int hf_msg_fragment_error = -1;
static int hf_msg_fragment_count = -1;
static int hf_msg_reassembled_in = -1;
static int hf_msg_reassembled_length = -1;
...
static gint ett_msg_fragment = -1;
static gint ett_msg_fragments = -1;
...
static const fragment_items msg_frag_items = {
    /* Fragment subtrees */
    &ett_msg_fragment,
    &ett_msg_fragments,
    /* Fragment fields */
    &hf_msg_fragments,
    &hf_msg_fragment,
    &hf_msg_fragment_overlap,
    &hf_msg_fragment_overlap_conflicts,
    &hf_msg_fragment_multiple_tails,
    &hf_msg_fragment_too_long_fragment,
    &hf_msg_fragment_error,
    &hf_msg_fragment_count,
    /* Reassembled in field */
    &hf_msg_reassembled_in,
    /* Reassembled length field */
    &hf_msg_reassembled_length,
    /* Tag */
    "Message fragments"
};
...
static hf_register_info hf[] =
{
...
{&hf_msg_fragments,
    {"Message fragments", "msg.fragments",
    FT_NONE, BASE_NONE, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment,
    {"Message fragment", "msg.fragment",
    FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment_overlap,
    {"Message fragment overlap", "msg.fragment.overlap",
    FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment_overlap_conflicts,
    {"Message fragment overlapping with conflicting data",
    "msg.fragment.overlap.conflicts",
    FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment_multiple_tails,
    {"Message has multiple tail fragments",
    "msg.fragment.multiple_tails",
    FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment_too_long_fragment,
    {"Message fragment too long", "msg.fragment.too_long_fragment",
    FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment_error,
    {"Message defragmentation error", "msg.fragment.error",
    FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment_count,
    {"Message fragment count", "msg.fragment.count",
    FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } },
{&hf_msg_reassembled_in,
    {"Reassembled in", "msg.reassembled.in",
    FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } },
{&hf_msg_reassembled_length,
    {"Reassembled length", "msg.reassembled.length",
    FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } },
...
static gint *ett[] =
{
...
&ett_msg_fragment,
&ett_msg_fragments
...

These hf variables are used internally within the reassembly routines to make useful links, and to add data to the dissection. It produces links from one packet to another, such as a partial packet having a link to the fully reassembled packet. Likewise there are back pointers to the individual packets from the reassembled one. The other variables are used for flagging up errors.

A dissector gets a tvbuff_t pointer which holds the payload of a TCP packet. This payload contains the header and data of your application layer protocol.

When dissecting an application layer protocol you cannot assume that each TCP packet contains exactly one application layer message. One application layer message can be split into several TCP packets.

You also cannot assume that a TCP packet contains only one application layer message and that the message header is at the start of your TCP payload. More than one messages can be transmitted in one TCP packet, so that a message can start at an arbitrary position.

This sounds complicated, but there is a simple solution. tcp_dissect_pdus() does all this tcp packet reassembling for you. This function is implemented in epan/dissectors/packet-tcp.h.

#include "config.h"

#include <epan/packet.h>
#include <epan/prefs.h>
#include "packet-tcp.h"

...

#define FRAME_HEADER_LEN 8

/* This method dissects fully reassembled messages */
static int
dissect_foo_message(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_)
{
    /* TODO: implement your dissecting code */
    return tvb_captured_length(tvb);
}

/* determine PDU length of protocol foo */
static guint
get_foo_message_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_)
{
    /* TODO: change this to your needs */
    return (guint)tvb_get_ntohl(tvb, offset+4); /* e.g. length is at offset 4 */
}

/* The main dissecting routine */
static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
    tcp_dissect_pdus(tvb, pinfo, tree, TRUE, FRAME_HEADER_LEN,
                     get_foo_message_len, dissect_foo_message, data);
    return tvb_captured_length(tvb);
}

...

As you can see this is really simple. Just call tcp_dissect_pdus() in your main dissection routine and move you message parsing code into another function. This function gets called whenever a message has been reassembled.

The parameters tvb, pinfo, tree and data are just handed over to tcp_dissect_pdus(). The 4th parameter is a flag to indicate if the data should be reassembled or not. This could be set according to a dissector preference as well. Parameter 5 indicates how much data has at least to be available to be able to determine the length of the foo message. Parameter 6 is a function pointer to a method that returns this length. It gets called when at least the number of bytes given in the previous parameter is available. Parameter 7 is a function pointer to your real message dissector. Parameter 8 is the data passed in from parent dissector.

Protocols which need more data before the message length can be determined can return zero. Other values smaller than the fixed length will result in an exception.

As you have probably guessed from the name, idl2wrs takes a user specified IDL file and attempts to build a dissector that can decode the IDL traffic over GIOP. The resulting file is “C” code, that should compile okay as a Wireshark dissector.

idl2wrs parses the data struct given to it by the omniidl compiler, and using the GIOP API available in packet-giop.[ch], generates get_CDR_xxx calls to decode the CORBA traffic on the wire.

It consists of 4 main files.

It is important to understand what CORBA traffic looks like over GIOP/IIOP, and to help build a tool that can assist in troubleshooting CORBA interworking. This was especially the case after seeing a lot of discussions about how particular IDL types are represented inside an octet stream.

I have also had comments/feedback that this tool would be good for say a CORBA class when teaching students what CORBA traffic looks like “on the wire”.

It is also COOL to work on a great Open Source project such as the case with “Wireshark” (https://www.wireshark.org/)

To use the idl2wrs to generate Wireshark dissectors, you need the following:

To use idl2wrs to generate an Wireshark dissector from an idl file use the following procedure:

For the next steps, go up to the top of your Wireshark source directory.

See the TODO list inside packet-giop.c

The -p ./ option passed to omniidl indicates that the wireshark_be.py and wireshark_gen.py are residing in the current directory. This may need tweaking if you place these files somewhere else.

If it complains about being unable to find some modules (e.g. tempfile.py), you may want to check if PYTHONPATH is set correctly. On my Linux box, it is PYTHONPATH=/usr/lib/python2.4/

A pseudoheader to be used to save captured frames.

A Field extractor to to obtain field values. A Field object can only be created outside of the callback functions of dissectors, post-dissectors, heuristic-dissectors, and taps.

Once created, it is used inside the callback functions, to generate a FieldInfo object.

11.2.1.2. Field.list()

Gets a Lua array table of all registered field filter names.

	Note
	This is an expensive operation, and should only be used for troubleshooting.

Since: 1.11.3

Returns

The array table of field filter names

An extracted Field from dissected packet data. A FieldInfo object can only be used within the callback functions of dissectors, post-dissectors, heuristic-dissectors, and taps.

A FieldInfo can be called on either existing Wireshark fields by using either Field.new() or Field() before-hand, or it can be called on new fields created by Lua from a ProtoField.

Manages a progress bar dialog.

Manages a text window.