Wireshark Wireshark - 2.1 Developer’s Guide

Download

Wireshark Developer’s Guide

For Wireshark 2.1

Ulf Lamping <ulf.lamping[AT]web.de>

Luis E. Ontanon <luis[AT]ontanon.org>

Graham Bloice <graham.bloice[AT]trihedral.com>

Wireshark Developer’s Guide: For Wireshark 2.1

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.

All logos and trademarks in this document are property of their respective owners.

Preface ............................................................................................................................. ix

1. Foreword ............................................................................................................... ix

2. Who should read this document? ............................................................................... ix

3. Acknowledgements ................................................................................................. ix

4. About this document ............................................................................................... ix

5. Where to get the latest copy of this document? ............................................................. x

6. Providing feedback about this document ...................................................................... x

I. Wireshark Build Environment ............................................................................................ 1

1. Introduction ............................................................................................................ 2

1.1. Introduction .................................................................................................. 2

1.2. What is Wireshark? ....................................................................................... 2

1.3. Supported Platforms ...................................................................................... 2

1.3.1. Unix ................................................................................................. 2

1.3.2. Linux ................................................................................................ 2

1.3.3. Microsoft Windows ............................................................................ 3

1.4. Development and maintenance of Wireshark ...................................................... 3

1.4.1. Programming languages used ................................................................ 3

1.4.2. Open Source Software ......................................................................... 4

1.5. Releases and distributions ............................................................................... 4

1.5.1. Binary distributions ............................................................................. 4

1.5.2. Source code distributions ..................................................................... 5

1.6. Automated Builds (Buildbot) .......................................................................... 5

1.6.1. Advantages ........................................................................................ 5

1.6.2. What does the Buildbot do? ................................................................. 6

1.7. Reporting problems and getting help ................................................................ 6

1.7.1. Website ............................................................................................. 6

1.7.2. Wiki ................................................................................................. 6

1.7.3. FAQ ................................................................................................. 7

1.7.4. Other sources ..................................................................................... 7

1.7.5. Mailing Lists ..................................................................................... 7

1.7.6. Bug database (Bugzilla) ....................................................................... 8

1.7.7. Q&A Site .......................................................................................... 8

1.7.8. Reporting Problems ............................................................................ 8

1.7.9. Reporting Crashes on UNIX/Linux platforms ........................................... 9

1.7.10. Reporting Crashes on Windows platforms ............................................. 9

2. Quick Setup .......................................................................................................... 10

2.1. UNIX: Installation ....................................................................................... 10

2.2. Win32/64: Step-by-Step Guide ...................................................................... 10

2.2.1. Install PowerShell ............................................................................. 10

2.2.2. Optional: Install Chocolatey ................................................................ 10

2.2.3. Install Microsoft C compiler and SDK .................................................. 10

2.2.4. Install Qt ......................................................................................... 11

2.2.5. Install Cygwin .................................................................................. 12

2.2.6. Install Python ................................................................................... 12

2.2.7. Install Git ........................................................................................ 13

2.3. Install CMake ............................................................................................. 13

2.3.1. Install and Prepare Sources ................................................................. 14

2.3.2. Open a Visual Studio Command Prompt ............................................... 14

2.3.3. Generate the build files ...................................................................... 15

2.3.4. Build Wireshark ............................................................................... 16

2.3.5. Debug Environment Setup .................................................................. 16

2.3.6. Optional: Create User’s and Developer’s Guide ...................................... 16

2.3.7. Optional: Create a Wireshark Installer .................................................. 16

3. Work with the Wireshark sources ............................................................................. 18

iii

Wireshark Developer’s Guide

3.1. Introduction ................................................................................................ 18

3.2. The Wireshark Git repository ........................................................................ 18

3.2.1. The web interface to the Git repository ................................................. 18

3.3. Obtain the Wireshark sources ........................................................................ 19

3.3.1. Git over SSH or HTTPS .................................................................... 19

3.3.2. Git web interface .............................................................................. 20

3.3.3. Buildbot Snapshots ............................................................................ 21

3.3.4. Released sources ............................................................................... 21

3.4. Update the Wireshark sources ........................................................................ 21

3.4.1. Update Using Git .............................................................................. 21

3.4.2. Update Using Source Archives ............................................................ 22

3.5. Build Wireshark .......................................................................................... 22

3.5.1. Building on Unix .............................................................................. 22

3.5.2. Win32 native ................................................................................... 23

3.6. Run generated Wireshark .............................................................................. 23

3.6.1. Unix/Linux ...................................................................................... 23

3.6.2. Win32 native ................................................................................... 23

3.7. Debug your generated Wireshark ................................................................... 23

3.7.1. Unix/Linux ...................................................................................... 23

3.7.2. Win32 native ................................................................................... 24

3.8. Make changes to the Wireshark sources .......................................................... 24

3.9. Contribute your changes ............................................................................... 24

3.9.1. Some tips for a good patch ................................................................. 25

3.9.2. Code Requirements ........................................................................... 25

3.9.3. Uploading your changes ..................................................................... 26

3.9.4. Backporting a change ........................................................................ 26

3.10. Apply a patch from someone else ................................................................. 27

3.10.1. Using patch .................................................................................... 27

3.11. Binary packaging ....................................................................................... 28

3.11.1. Debian: .deb packages ...................................................................... 28

3.11.2. Red Hat: .rpm packages .................................................................... 28

3.11.3. OS X: .dmg packages ....................................................................... 29

3.11.4. Win32: NSIS .exe installer ................................................................ 29

3.11.5. Win32: PortableApps .paf.exe package ................................................ 29

4. Tool Reference ...................................................................................................... 31

4.1. Introduction ................................................................................................ 31

4.2. Windows PowerShell ................................................................................... 31

4.3. Chocolatey ................................................................................................. 31

4.4. Windows: Cygwin ....................................................................................... 32

4.4.1. Installing Cygwin using the Cygwin installer ......................................... 32

4.4.2. Add/Update/Remove Cygwin Packages ................................................. 32

4.4.3. Installing Cygwin using Chocolatey ..................................................... 33

4.5. GNU compiler toolchain (UNIX only) ............................................................ 33

4.5.1. gcc (GNU compiler collection) ............................................................ 33

4.5.2. gdb (GNU project debugger) ............................................................... 33

4.5.3. ddd (GNU Data Display Debugger) ...................................................... 34

4.5.4. make (GNU Make) ........................................................................... 34

4.6. Microsoft compiler toolchain (Windows native) ................................................ 34

4.6.1. Toolchain Package Alternatives ........................................................... 35

4.6.2. cl.exe (C Compiler) ........................................................................... 36

4.6.3. link.exe (Linker) ............................................................................... 36

4.6.4. C-Runtime "Redistributable" Files ....................................................... 36

4.6.5. Windows (Platform) SDK .................................................................. 37

4.6.6. HTML Help ..................................................................................... 38

Wireshark Developer’s Guide

4.6.7. Debugger ......................................................................................... 38

4.7. bash .......................................................................................................... 39

4.7.1. UNIX and Cygwin: GNU bash ............................................................ 39

4.7.2. Windows native: ............................................................................... 39

4.8. Python ....................................................................................................... 39

4.9. Perl ........................................................................................................... 40

4.9.1. UNIX and Cygwin: Perl ..................................................................... 40

4.10. sed .......................................................................................................... 40

4.10.1. UNIX and Cygwin: sed .................................................................... 40

4.10.2. Windows native: sed ........................................................................ 41

4.11. Bison ....................................................................................................... 41

4.11.1. UNIX or Cygwin: bison ................................................................... 41

4.11.2. Windows Native: Win flex-bison and bison .......................................... 41

4.12. Flex ......................................................................................................... 42

4.12.1. UNIX or Cygwin: flex ..................................................................... 42

4.12.2. Windows Native: Win flex-bison and flex ............................................ 42

4.13. Git client .................................................................................................. 42

4.13.1. UNIX or Cygwin: git ....................................................................... 42

4.13.2. Windows native: git ......................................................................... 43

4.14. Git Powershell Extensions (optional) ............................................................. 43

4.15. Git GUI client (optional) ............................................................................. 43

4.16. patch (optional) ......................................................................................... 43

4.16.1. UNIX and Cygwin: patch ................................................................. 43

4.16.2. Windows native: patch ..................................................................... 44

4.17. Windows: NSIS (optional) .......................................................................... 44

4.18. Windows: PortableApps (optional) ................................................................ 44

5. Library Reference .................................................................................................. 45

5.1. Introduction ................................................................................................ 45

5.2. Binary library formats .................................................................................. 45

5.2.1. Unix ............................................................................................... 45

5.2.2. Win32: MSVC ................................................................................. 45

5.2.3. Win32: cygwin gcc ........................................................................... 45

5.3. Win32: Automated library download .............................................................. 45

5.4. Qt ............................................................................................................. 46

5.4.1. Unix ............................................................................................... 46

5.4.2. Win32 MSVC .................................................................................. 46

5.5. GTK+ / GLib / GDK / Pango / ATK / GNU gettext / GNU libiconv ...................... 46

5.5.1. Unix ............................................................................................... 46

5.5.2. Win32 MSVC .................................................................................. 46

5.6. SMI (optional) ............................................................................................ 46

5.6.1. Unix ............................................................................................... 47

5.6.2. Win32 MSVC .................................................................................. 47

5.7. c-ares (optional) .......................................................................................... 47

5.7.1. Unix ............................................................................................... 47

5.7.2. Win32 MSVC .................................................................................. 47

5.8. zlib (optional) ............................................................................................. 47

5.8.1. Unix ............................................................................................... 47

5.8.2. Win32 MSVC .................................................................................. 47

5.9. libpcap/WinPcap (optional) ........................................................................... 47

5.9.1. Unix: libpcap ................................................................................... 47

5.9.2. Win32 MSVC: WinPcap .................................................................... 48

5.10. GnuTLS (optional) ..................................................................................... 48

5.10.1. Unix ............................................................................................. 48

5.10.2. Win32 MSVC ................................................................................. 48

Wireshark Developer’s Guide

5.11. Gcrypt (optional) ....................................................................................... 48

5.11.1. Unix ............................................................................................. 48

5.11.2. Win32 MSVC ................................................................................. 48

5.12. Kerberos (optional) .................................................................................... 48

5.12.1. Unix ............................................................................................. 48

5.12.2. Win32 MSVC ................................................................................. 48

5.13. LUA (optional) .......................................................................................... 48

5.13.1. Unix ............................................................................................. 49

5.13.2. Win32 MSVC ................................................................................. 49

5.14. PortAudio (optional) ................................................................................... 49

5.14.1. Unix ............................................................................................. 49

5.14.2. Win32 MSVC ................................................................................. 49

5.15. GeoIP (optional) ........................................................................................ 49

5.15.1. Unix ............................................................................................. 49

5.15.2. Win32 MSVC ................................................................................. 49

5.16. WinSparkle (optional) ................................................................................. 49

5.16.1. Win32 MSVC ................................................................................. 49

II. Wireshark Development ................................................................................................. 50

6. How Wireshark Works ........................................................................................... 51

6.1. Introduction ................................................................................................ 51

6.2. Overview ................................................................................................... 51

6.3. Capturing packets ........................................................................................ 52

6.4. Capture Files .............................................................................................. 52

6.5. Dissect packets ........................................................................................... 52

7. Introduction .......................................................................................................... 53

7.1. Source overview .......................................................................................... 53

7.2. Coding Style .............................................................................................. 53

7.3. The GLib library ......................................................................................... 53

8. Packet capturing .................................................................................................... 54

8.1. How to add a new capture type to libpcap ....................................................... 54

9. Packet dissection ................................................................................................... 55

9.1. How it works .............................................................................................. 55

9.2. Adding a basic dissector ............................................................................... 55

9.2.1. Setting up the dissector ...................................................................... 55

9.2.2. Dissecting the details of the protocol .................................................... 57

9.2.3. Improving the dissection information .................................................... 60

9.3. How to handle transformed data ..................................................................... 62

9.4. How to reassemble split packets ..................................................................... 63

9.4.1. How to reassemble split UDP packets ................................................... 64

9.4.2. How to reassemble split TCP Packets ................................................... 67

9.5. How to tap protocols ................................................................................... 68

9.6. How to produce protocol stats ....................................................................... 69

9.7. How to use conversations ............................................................................. 70

9.8. idl2wrs: Creating dissectors from CORBA IDL files .......................................... 70

9.8.1. What is it? ....................................................................................... 71

9.8.2. Why do this? ................................................................................... 71

9.8.3. How to use idl2wrs ........................................................................... 71

9.8.4. TODO ............................................................................................. 72

9.8.5. Limitations ...................................................................................... 73

9.8.6. Notes .............................................................................................. 73

10. Lua Support in Wireshark ...................................................................................... 74

10.1. Introduction .............................................................................................. 74

10.2. Example of Dissector written in Lua ............................................................. 74

10.3. Example of Listener written in Lua ............................................................... 75

Wireshark Developer’s Guide

11. Wireshark’s Lua API Reference Manual ................................................................... 77

11.1. Saving capture files .................................................................................... 77

11.1.1. Dumper ......................................................................................... 77

11.1.2. PseudoHeader ................................................................................. 78

11.2. Obtaining dissection data ............................................................................ 79

11.2.1. Field ............................................................................................. 79

11.2.2. FieldInfo ........................................................................................ 81

11.2.3. Global Functions ............................................................................. 84

11.3. GUI support .............................................................................................. 84

11.3.1. ProgDlg ......................................................................................... 84

11.3.2. TextWindow ................................................................................... 85

11.3.3. Global Functions ............................................................................. 88

11.4. Post-dissection packet analysis ..................................................................... 90

11.4.1. Listener ......................................................................................... 90

11.5. Obtaining packet information ....................................................................... 92

11.5.1. Address ......................................................................................... 92

11.5.2. Column ......................................................................................... 92

11.5.3. Columns ........................................................................................ 93

11.5.4. NSTime ......................................................................................... 94

11.5.5. Pinfo ............................................................................................. 95

11.5.6. PrivateTable ................................................................................... 99

11.6. Functions for new protocols and dissectors ..................................................... 99

11.6.1. Dissector ........................................................................................ 99

11.6.2. DissectorTable .............................................................................. 101

11.6.3. Pref ............................................................................................. 104

11.6.4. Prefs ............................................................................................ 105

11.6.5. Proto ........................................................................................... 106

11.6.6. ProtoExpert .................................................................................. 108

11.6.7. ProtoField .................................................................................... 109

11.6.8. Global Functions ........................................................................... 119

11.7. Adding information to the dissection tree ..................................................... 120

11.7.1. TreeItem ...................................................................................... 120

11.8. Functions for handling packet data .............................................................. 126

11.8.1. ByteArray .................................................................................... 126

11.8.2. Tvb ............................................................................................. 130

11.8.3. TvbRange ..................................................................................... 132

11.9. Custom file format reading/writing .............................................................. 138

11.9.1. CaptureInfo .................................................................................. 138

11.9.2. CaptureInfoConst ........................................................................... 140

11.9.3. File ............................................................................................. 142

11.9.4. FileHandler ................................................................................... 143

11.9.5. FrameInfo .................................................................................... 147

11.9.6. FrameInfoConst ............................................................................. 149

11.9.7. Global Functions ........................................................................... 151

11.10. Directory handling functions .................................................................... 151

11.10.1. Dir ............................................................................................ 151

11.11. Utility Functions .................................................................................... 154

11.11.1. Global Functions .......................................................................... 154

11.12. Handling 64-bit Integers .......................................................................... 157

11.12.1. Int64 .......................................................................................... 157

11.12.2. UInt64 ....................................................................................... 163

11.13. Binary encode/decode support .................................................................. 169

11.13.1. Struct ......................................................................................... 171

11.14. GLib Regular Expressions ........................................................................ 173

vii

Wireshark Developer’s Guide

11.14.1. GRegex ...................................................................................... 173

12. User Interface .................................................................................................... 181

12.1. Introduction ............................................................................................. 181

12.2. The Qt Application Framework .................................................................. 181

12.2.1. Source Code Overview ................................................................... 181

12.2.2. Coding Practices and Naming Conventions ......................................... 182

12.2.3. Other Issues .................................................................................. 183

12.3. The GTK library ...................................................................................... 183

12.3.1. GTK Version 2.x ........................................................................... 183

12.3.2. GTK Version 3.x ........................................................................... 184

12.3.3. Compatibility GTK versions ............................................................ 184

12.3.4. GTK resources on the web .............................................................. 184

12.4. GUI Reference documents ......................................................................... 184

12.5. Adding/Extending Dialogs ......................................................................... 185

12.6. Widget naming ........................................................................................ 185

12.7. Common GTK programming pitfalls ........................................................... 185

12.7.1. Usage of gtk_widget_show() / gtk_widget_show_all() .......................... 185

13. This Document’s License (GPL) ........................................................................... 186

viii

Preface

1. Foreword

This book tries to give you a guide to start your own experiments into the wonderful world of Wireshark development.

Developers who are new to Wireshark often have a hard time getting their development environment up and running. This is especially true for Win32 developers, as a lot of the tools and methods used when building Wireshark are much more common in the UNIX world than on Win32.

The first part of this book will describe how to set up the environment needed to develop Wireshark. The second part of this book will describe how to change the Wireshark source code. We hope that you find this book useful, and look forward to your comments.

2. Who should read this document?

The intended audience of this book is anyone going into the development of Wireshark. This book is not intended to explain the usage of Wireshark in general. Please refer the Wireshark User’s

Guide about Wireshark usage.

By reading this book, you will learn how to develop Wireshark. It will hopefully guide you around some common problems that frequently appear for new (and sometimes even advanced) developers of Wireshark.

3. Acknowledgements

The authors would like to thank the whole Wireshark team for their assistance. In particular, the authors would like to thank:

• Gerald Combs, for initiating the Wireshark project.

• Guy Harris, for many helpful hints and his effort in maintaining the various contributions on the mailing lists.

• Frank Singleton from whose README.idl2wrs Section 9.8, “idl2wrs: Creating dissectors from

CORBA IDL files” is derived.

The authors would also like to thank the following people for their helpful feedback on this document:

• XXX - Please give feedback :-)

And of course a big thank you to the many, many contributors of the Wireshark development community!

4. About this document

This book was developed by Ulf Lamping and updated for VS2013 by Graham Bloice It is written in AsciiDoc.

Preface

You will find some specially marked parts in this book:

This is a warning

You should pay attention to a warning, as otherwise data loss might occur.

This is a note

A note will point you to common mistakes and things that might not be obvious.

This is a tip

Tips will be helpful for your everyday work developing Wireshark.

5. Where to get the latest copy of this document?

The latest copy of this documentation can always be found at: https://www.wireshark.org/docs/ in A4 PDF, US letter PDF, single HTML, and chunked HTML.

6. Providing feedback about this document

Should you have any feedback about this document, please send it to the authors through wireshark-

dev[AT]wireshark.org.

Part I. Wireshark Build Environment

Wireshark Build Environment

The first part describes how to set up the tools, libraries and source needed to generate Wireshark and how to do some typical development tasks.

Chapter 1. Introduction

1.1. Introduction

This chapter will provide you with information about Wireshark development in general.

1.2. What is Wireshark?

Well, if you want to start Wireshark development, you might already know what Wireshark is doing. If not, please have a look at the Wireshark User’s Guide, which will provide a lot of general information about it.

1.3. Supported Platforms

Wireshark currently runs on most UNIX platforms and various Windows platforms. It requires Qt, GLib, libpcap and some other libraries in order to run.

As Wireshark is developed in a platform independent way and uses libraries (such as the Qt GUI library) which are available for many different platforms, it’s thus available on a wide variety of platforms.

If a binary package is not available for your platform, you should download the source and try to build it. Please report your experiences to wireshark-dev[AT]wireshark.org.

Binary packages are available for the following platforms along with many others:

1.3.1. Unix

• Apple OS X

• FreeBSD

• HP-UX

• IBM AIX

• NetBSD

• OpenBSD

• Oracle Solaris

1.3.2. Linux

• Debian GNU/Linux

• Ubuntu

• Gentoo Linux

• IBM S/390 Linux (Red Hat)

• Mandrake Linux

• PLD Linux

• Red Hat Linux

• Rock Linux

• Slackware Linux

• Suse Linux

1.3.3. Microsoft Windows

Wireshark supports Windows natively via the Windows API. Note that in this documentation and elsewhere we tend to use the terms “Win32”, “Win”, and “Windows” interchangeably to refer to the Windows API. Wireshark runs on and can be compiled on the following platforms:

• Windows 10 / Windows Server 2016

• Windows 8.1 / Windows Server 2012 R2

• Windows 8 / Windows Server 2012

• Windows 7 / Windows Server 2008 R2

Introduction

• Windows Vista / Windows Server 2008

Development on Windows XP, Server 2003, and older versions may be possible but is not supported.

1.4. Development and maintenance of Wireshark

Wireshark was initially developed by Gerald Combs. Ongoing development and maintenance of Wireshark is handled by the Wireshark core developers, a loose group of individuals who fix bugs and provide new functionality.

There have also been a large number of people who have contributed protocol dissectors and other improvements to Wireshark, and it is expected that this will continue. You can find a list of the people who have contributed code to Wireshark by checking the About dialog box of Wireshark, or have a look at the https://www.wireshark.org/about.html#authors page on the Wireshark web site.

The communication between the developers is usually done through the developer mailing list, which can be joined by anyone interested in the development activities. At the time this document was written, more than 500 persons were subscribed to this mailing list!

It is strongly recommended to join the developer mailing list, if you are going to do any Wireshark development. See Section 1.7.5, “Mailing Lists” about the different Wireshark mailing lists available.

1.4.1. Programming languages used

Most of Wireshark is implemented in plain ANSI C. A notable exception is the code in ui/qt, which is written in C++.

The typical task for a new Wireshark developer is to extend an existing, or write a new dissector for a specific network protocol. As (almost) any dissector is written in plain old ANSI C, a good knowledge about ANSI C will be sufficient for Wireshark development in almost any case.

Introduction

So unless you are going to change the build process of Wireshark itself, you won’t come in touch with any other programming language than ANSI C (such as Perl or Python, which are used only in the Wireshark build process).

Beside the usual tools for developing a program in C (compiler, make, …), the build process uses some additional helper tools (Perl, Python, Sed, …), which are needed for the build process when Wireshark is to be build and installed from the released source packages. If Wireshark is installed from a binary package, none of these helper tools are needed on the target system.

1.4.2. Open Source Software

Wireshark is an open source software (OSS) project, and is released under the GNU General Public License (GPL). You can freely use Wireshark on any number of computers you like, without worrying about license keys or fees or such. In addition, all source code is freely available under the GPL. Because of that, it is very easy for people to add new protocols to Wireshark, either as plugins, or built into the source, and they often do!

You are welcome to modify Wireshark to suit your own needs, and it would be appreciated if you contribute your improvements back to the Wireshark community.

You gain three benefits by contributing your improvements back to the community:

• Other people who find your contributions useful will appreciate them, and you will know that you have helped people in the same way that the developers of Wireshark have helped you and other people.

• The developers of Wireshark might improve your changes even more, as there’s always room for improvement. Or they may implement some advanced things on top of your code, which can be useful for yourself too.

• The maintainers and developers of Wireshark will maintain your code as well, fixing it when API changes or other changes are made, and generally keeping it in tune with what is happening with Wireshark. So if Wireshark is updated (which is done often), you can get a new Wireshark version from the website and your changes will already be included without any effort for you.

The Wireshark source code and binary packages for some platforms are all available on the download page of the Wireshark website: https://www.wireshark.org/download.html.

1.5. Releases and distributions

The officially released files can be found at: https://www.wireshark.org/download.html. A new Wireshark version is released after significant changes compared to the last release are completed or a serious security issue is encountered. The typical release schedule is about every 4-8 weeks (although this may vary). There are two kinds of distributions: binary and source; both have their advantages and disadvantages.

1.5.1. Binary distributions

Binary distributions are usually easy to install (as simply starting the appropriate file is usually the only thing to do). They are available for the following systems:

• Windows (.exe file). The typical Windows end user is used to getting a setup.exe file which will install all the required things for him.

• Win32 PAF (.paf.exe file). Another Windows end user method is to get a portable application file which will install all the required things for him.

Introduction

• Debian (.deb file). A user of a Debian Package Manager (DPKG) based system obtains a .deb file from which the package manager checks the dependencies and installs the software.

• Red Hat (.rpm file). A user of a RPM Package Manager (RPM) based system obtains an .rpm file from which the package manager checks the dependencies and installs the software.

• OS X (.dmg file). The typical OS X end user is used to getting a .dmg file which will install all the required things for him.

• Solaris. A Solaris user obtains a file from which the package manager (PKG) checks the dependencies and installs the software.

However, if you want to start developing with Wireshark, the binary distributions won’t be too helpful, as you need the source files, of course.

For details about how to build these binary distributions yourself, e.g. if you need a distribution for a special audience, see Section 3.11, “Binary packaging”.

1.5.2. Source code distributions

It’s still common for UNIX developers to give the end user a source tarball and let the user compile it on their target machine (configure, make, make install). However, for different UNIX (Linux) distributions it’s becoming more common to release binary packages (e.g. .deb or .rpm files) these days.

You should use the released sources if you want to build Wireshark from source on your platform for productive use. However, if you going to develop changes to the Wireshark sources, it might be better to use the latest GIT sources. For details about the different ways to get the Wireshark source code see

Section 3.3, “Obtain the Wireshark sources”.

Before building Wireshark from a source distribution, make sure you have all the tools and libraries required to build. The following chapters will describe the required tools and libraries in detail.

1.6. Automated Builds (Buildbot)

The Wireshark Buildbot automatically rebuilds Wireshark on every change of the source code repository and indicates problematic changes. This frees the developers from repeating (and annoying) work, so time can be spent on more interesting tasks.

1.6.1. Advantages

• Recognizing (cross platform) build problems - early. Compilation problems can be narrowed down to a few commits, making a fix much easier.

• "Health status" overview of the sources. A quick look at: https://buildbot.wireshark.org/wireshark-

master/ gives a good "feeling" if the sources are currently "well". On the other hand, if all is "red", an

update of a personal source tree might better be done later …

• "Up to date" binary packages are available. After a change was committed to the repository, a binary package / installer is usually available within a few hours at: https://www.wireshark.org/download/

automated/. This can be quite helpful, e.g. a bug reporter can easily verify a bugfix by installing a recent

build.

• Automated regression tests. In particular, the fuzz tests often indicate "real life" problems that are otherwise hard to find.

Introduction

1.6.2. What does the Buildbot do?

The Buildbot will do the following (to a different degree on the different platforms):

• Check out from the source repository

• Build

• Create binary packages and installers

• Create source packages and run distribution checks

• Run regression tests

Each step is represented at the status page by a rectangle, green if it succeeded or red if it failed. Most steps provide a link to the corresponding console logfile, to get additional information.

The Buildbot runs on a platform collection that represents the different "platform specialties" quite well:

• Windows 8.1 x86 (Win32, little endian, Visual Studio 2013)

• Windows 7 x86-64 (Win64, little endian, Visual Studio 2013)

• Ubuntu x86-64 (Linux, little endian, gcc, Clang)

• Solaris SPARC (Solaris, big endian, gcc)

• OS X x86 (BSD, little endian, Clang)

• OS X x86-64 (BSD, little endian, Clang)

and two buildslaves that run static code analysis to help spot coding issues:

• Visual Studio Code Analysis (Win64, little endian, VS 2013)

• Clang Code Analysis (Linux, little endian, Clang)

Each platform is represented at the status page by a single column, the most recent entries are at the top.

1.7. Reporting problems and getting help

If you have problems, or need help with Wireshark, there are several places that may be of interest to you (well, beside this guide of course).

1.7.1. Website

You will find lots of useful information on the Wireshark homepage at https://www.wireshark.org/.

1.7.2. Wiki

The Wireshark Wiki at https://wiki.wireshark.org/ provides a wide range of information related to Wireshark and packet capturing in general. You will find a lot of information not part of this developer’s guide. For example, there is an explanation how to capture on a switched network, an ongoing effort to build a protocol reference and a lot more.

And best of all, if you would like to contribute your knowledge on a specific topic (maybe a network protocol you know well), you can edit the Wiki pages by simply using your webbrowser.

1.7.3. FAQ

The "Frequently Asked Questions" will list often asked questions and the corresponding answers. Before sending any mail to the mailing lists below, be sure to read the FAQ, as it will often answer any

questions you might have. This will save yourself and others a lot of time. Keep in mind that a lot of people are subscribed to the mailing lists.

You will find the FAQ inside Wireshark by clicking the menu item Help/Contents and selecting the FAQ page in the upcoming dialog.

An online version is available at the Wireshark website: https://www.wireshark.org/faq.html. You might prefer this online version as it’s typically more up to date and the HTML format is easier to use.

1.7.4. Other sources

If you don’t find the information you need inside this book, there are various other sources of information:

• The file doc/README.developer and all the other README.xxx files in the source code. These are various documentation files on different topics

Introduction

Read the README

README.developer is packed full with all kinds of details relevant to the developer of Wireshark source code. Its companion file README.dissector advises you around common pitfalls, shows you basic layout of dissector code, shows details of the APIs available to the dissector developer, etc.

• The Wireshark source code

• Tool documentation of the various tools used (e.g. manpages of sed, gcc, etc.)

• The different mailing lists. See Section 1.7.5, “Mailing Lists”

1.7.5. Mailing Lists

There are several mailing lists available on specific Wireshark topics: wireshark-announce This mailing list will inform you about new program releases, which

wireshark-users This list is for users of Wireshark. People post questions about building

wireshark-dev This list is for Wireshark developers. People post questions about the

usually appear about every 4-8 weeks.

and using Wireshark, others (hopefully) provide answers.

development of Wireshark, others (hopefully) provide answers. If you want to start developing a protocol dissector, join this list.

wireshark-bugs This list is for Wireshark developers. Every time a change to the bug

database occurs, a mail to this mailing list is generated. If you want to be notified about all the changes to the bug database, join this list. Details about the bug database can be found in Section 1.7.6, “Bug database

(Bugzilla)”.

Introduction

wireshark-commits This list is for Wireshark developers. Every time a change to the GIT

repository is checked in, a mail to this mailing list is generated. If you want to be notified about all the changes to the GIT repository, join this list. Details about the GIT repository can be found in Section 3.2, “The

Wireshark Git repository”.

You can subscribe to each of these lists from the Wireshark web site: https://www.wireshark.org/lists/. From there, you can choose which mailing list you want to subscribe to by clicking on the Subscribe/ Unsubscribe/Options button under the title of the relevant list. The links to the archives are included on that page as well.

The archives are searchable

You can search in the list archives to see if someone previously asked the same question and maybe already got an answer. That way you don’t have to wait until someone answers your question.

1.7.6. Bug database (Bugzilla)

The Wireshark community collects bug reports in a Bugzilla database at https://bugs.wireshark.org/. This database is filled with manually filed bug reports, usually after some discussion on wireshark-dev, and automatic bug reports from the Buildbot tools.

1.7.7. Q&A Site

The Wireshark Q and A site at https://ask.wireshark.org/ offers a resource where questions and answers come together. You have the option to search what questions were asked before and what answers were given by people who knew about the issue. Answers are graded, so you can pick out the best ones easily. If your issue isn’t discussed before you can post one yourself.

1.7.8. Reporting Problems

Test with the latest version

Before reporting any problems, please make sure you have installed the latest version of Wireshark. Reports on older maintenance releases are usually met with an upgrade request.

If you report problems, provide as much information as possible. In general, just think about what you would need to find that problem, if someone else sends you such a problem report. Also keep in mind that people compile/run Wireshark on a lot of different platforms.

When reporting problems with Wireshark, it is helpful if you supply the following information:

1. The version number of Wireshark and the dependent libraries linked with it, e.g. Qt, GTK+, etc. You

can obtain this with the command wireshark -v.

2. Information about the platform you run Wireshark on.

3. A detailed description of your problem.

4. If you get an error/warning message, copy the text of that message (and also a few lines before and

after it, if there are some), so others may find the build step where things go wrong. Please don’t give something like: "I get a warning when compiling x" as this won’t give any direction to look at.

Introduction

Don’t send large files

Do not send large files (>100KB) to the mailing lists, just place a note that further data is available on request. Large files will only annoy a lot of people on the list who are not interested in your specific problem. If required, you will be asked for further data by the persons who really can help you.

Don’t send confidential information

If you send captured data to the mailing lists, or add it to your bug report, be sure it doesn’t contain any sensitive or confidential information, such as passwords. Visibility of such files can be limited to certain groups in the Bugzilla database though.

1.7.9. Reporting Crashes on UNIX/Linux platforms

When reporting crashes with Wireshark, it is helpful if you supply the traceback information (besides the information mentioned in Section 1.7.8, “Reporting Problems”).

You can obtain this traceback information with the following commands:

$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& bt.txt backtrace ^D $

Using GDB

Type the characters in the first line verbatim. Those are back-tics there. backtrace is a gdb command. You should enter it verbatim after the first line shown

above, but it will not be echoed. The ^D (Control-D, that is, press the Control key and the D key together) will cause gdb to exit. This will leave you with a file called bt.txt in the current directory. Include the file with your bug report.

If you do not have gdb available, you will have to check out your operating system’s debugger.

You should mail the traceback to the wireshark-dev mailing list, or attach it to your bug report.

1.7.10. Reporting Crashes on Windows platforms

You can download Windows debugging symbol files (.pdb) from the following locations:

• 32-bit Windows: https://www.wireshark.org/download/win32/all-versions/

• 64-bit Windows: https://www.wireshark.org/download/win64/all-versions/

Files are named "Wireshark-pdb-winbits-x.y.z.zip" to match their corresponding "Wireshark-winbitsx.y.z.exe" installer packages.

Chapter 2. Quick Setup

2.1. UNIX: Installation

All the tools required are usually installed on a UNIX developer machine.

If a tool is not already installed on your system, you can usually install it using the package in your distribution: aptitude, yum, Synaptic, etc.

If an install package is not available or you have a reason not to use it (maybe because it’s simply too old), you can install that tool from source code. The following sections will provide you with the webpage addresses where you can get these sources.

2.2. Win32/64: Step-by-Step Guide

A quick setup guide for Win32 and Win64 with recommended configuration.

Warning

Unless you know exactly what you are doing, you should strictly follow the recommendations below. They are known to work and if the build breaks, please re-read this guide carefully.

Known traps are:

1. Not using the correct (x86 or x64) version of the Visual Studio command prompt.

2. Not copying/downloading the correct version of vcredist_xYY.exe.

2.2.1. Install PowerShell

PowerShell 2.0 or later is required for building Wireshark and the NSIS package. Windows 7 and later include compatible versions. It is also required by Chocolatey.

If you are running Windows Vista and have thus far managed to not install PowerShell 2.0, either directly or via anything that requires it, you must now install PowerShell 2.0. You can download it from https://

www.microsoft.com/powershell

2.2.2. Optional: Install Chocolatey

Chocolatey is a native package manager for Windows. There are packages for most of the software listed

below. Along with traditional Windows packages it supports Cygwin and the Python Package Index.

2.2.3. Install Microsoft C compiler and SDK

You need to install, in exactly this order:

1. C compiler: Download and install "Microsoft Visual Studio 2013 Community Edition." This is a small

download that then downloads all the other required parts (which are quite large).

Uncheck all the optional components (unless you want to use them for purposes other than Wireshark).

Quick Setup

You can use Chocolatey to install Visual Studio:

PS$>choco install VisualStudioCommunity2013

You can use other Microsoft C compiler variants, but VS2013 is used to build the development releases and is the preferred option. It’s possible to compile Wireshark with a wide range of Microsoft C compiler variants. For details see Section 4.6, “Microsoft compiler toolchain (Windows native)”.

You may have to do this as Administrator. Compiling with gcc or Clang is not recommended and will certainly not work (at least not without a lot of

advanced tweaking). For further details on this topic, see Section 4.5, “GNU compiler toolchain (UNIX

only)”. This may change in future as releases of Visual Studio add more cross-platform support.

Why is this recommended? While this is a huge download, Visual Studio 2013 Community Edition is the only free (as in beer) versions that includes the Visual Studio integrated debugger. Visual Studio 2013 is also used to create official Wireshark builds, so it will likely have fewer development-related problems.

For VS2010 You will need some extra items:

1. Windows SDK for Windows 7, if you want to build 64-bit binaries for Windows 7: Download and

install "Microsoft Windows SDK for Windows 7." In case the install of the SDK fails go to software management and remove the VC++ 2010 runtime

and redist packages (don’t worry, they will be added back via the service pack later). If installation of the SDK still fails, there may be a permission problem. See here for a solution.

2. C compiler service pack: Download and install "Microsoft Visual Studio 2010 Service Pack 1." This

is a very large download.

3. Microsoft Visual C++ 2010 Service Pack 1 Compiler Update for the Windows SDK 7.1, if you want to

build 64-bit binaries for Windows 7: Download and install "Microsoft Visual C++ 2010 Service Pack 1 Compiler Update for the Windows SDK 7.1."

4. If you will be building 64-bit binaries those items must be installed in that order as installing the

Microsoft Visual Studio 2010 Service Pack 1 can, if you’ve installed the Microsoft Windows SDK for Windows 7, remove the 64-bit compilers, as per http://support.microsoft.com/?kbid=2519277 the Microsoft Knowledge Base article "FIX: Visual C++ compilers are removed when you upgrade Visual Studio 2010 Professional or Visual Studio 2010 Express to Visual Studio 2010 SP1 if Windows SDK v7.1 is installed". The release notes for the Microsoft Visual C++ 2010 Service Pack 1 Compiler Update for the Windows SDK 7.1 say that, to ensure that your system has a supported configuration, you must install the items in the order specified above. If you have Microsoft Update installed, so that the Windows update process will update software other than components of Windows, and thus will update Visual Studio, you may need to disable it until after all of the above are installed, to make sure it doesn’t install Visual Studio 2010 SP1 out of order.

2.2.4. Install Qt

The main Wireshark application uses the Qt windowing toolkit. To install Qt download the Online Installer from the Qt Project download page and select a component that matches your target system and

compiler. For example, the “msvc2013 64-bit OpenGL” component is used to build the official 64-bit packages.

Note that separate installations (into different directories) of Qt are required for 32 bit and 64 bit builds. The environment variable QT5_BASE_DIR should be set as appropriate for your environment and should point to the Qt directory that contains the bin directory, e.g. C:\Qt\Qt5.5.0\5.5\msvc2013

2.2.5. Install Cygwin

On 32-bit Windows, download the 32-bit Cygwin installer and start it. On 64-bit Windows, download the

64-bit Cygwin installer and start it.

At the "Select Packages" page, you’ll need to select some additional packages which are not installed by default. Navigate to the required Category/Package row and, if the package has a "Skip" item in the "New" column, click on the "Skip" item so it shows a version number for:

• Archive/unzip (not needed if using CMake)

• Devel/bison (or install Win flex-bison - see Chocolatey below)

• Devel/flex (or install Win flex-bison - see Chocolatey below)

• Devel/git (recommended - see discussion about using Git below)

• Interpreters/perl

• Utils/patch (only if needed) (may be Devel/patch instead)

• Web/wget (not needed if using CMake)

Quick Setup

• Text/asciidoc

• Text/docbook-xml45

You might also have to install

• Interpreters/m4

if installing Devel/bison doesn’t provide a working version of Bison. If m4 is missing bison will fail. After clicking the Next button several times, the setup will then download and install the selected packages

(this may take a while). Why is this recommended? Cygwin’s bash version is required, as no native Win32 version is available.

As additional packages can easily be added, Perl and other packages are also used. Alternatively you can install Cygwin and its packages using Chocolatey:

PS$>choco install cygwin PS$>choco install cyg-get PS$>choco install sed asciidoc [...] -source cygwin

Chocolatey installs Cygwin in C:\tools\cygwin by default. You can use Chocolatey’s Win flex-bison packages rather than the Cygwin Bison and Flex package:

PS$>choco install winflexbison

2.2.6. Install Python

Get the Python 2.7 installer from http://python.org/download/ and install Python into the default location (C:\Python27).

Why is this recommended? Cygwin’s Python package doesn’t work on some machines, so the Win32 native package is recommended (and it’s faster). Note that Python 3.x isn’t currently supported.

Quick Setup

Alternatively you can install Python using Chocolatey:

PS$>choco install python2

Chocolatey installs Python 2 in C:\tools\python2 by default.

2.2.7. Install Git

Please note that the following is not required to build Wireshark but can be quite helpful when working with the sources.

Working with the Git source repositories is highly recommended, see Section 3.3, “Obtain the Wireshark

sources”. It is much easier to update a personal source tree (local repository) with Git rather than

downloading a zip file and merging new sources into a personal source tree by hand. It also makes firsttime setup easy and enables the Wireshark build process to determine your current source code revision.

There are several ways in which Git can be installed. Most packages are available at the URLs below or via Chocolatey. Note that many of the GUI interfaces depend on the command line version.

2.2.7.1. The Official Windows Installer

The official command-line installer is available at http://msysgit.github.io/.

2.2.7.2. Git Extensions

Git Extensions is a native Windows graphical Git client for Windows. You can download the installer from http://code.google.com/p/gitextensions/.

2.2.7.3. TortoiseGit

TortoiseGit is a native Windows graphical Git similar to TortoiseSVN. You can download the installer from http://code.google.com/p/tortoisegit/.

2.2.7.4. Command Line client via Chocolatey

The command line client can be installed (and updated) using Chocolatey:

PS$> choco install git

2.2.7.5. Others

A list of other GUI interfaces for Git can be found at http://git-scm.com/downloads/guis

2.3. Install CMake

Get the CMake installer from https://cmake.org/download/ and install CMake into the default location. Ensure the directory containing cmake.exe is added to your path.

Alternatively you can install CMake using Chocolatey:

PS$>choco install cmake.portable

Chocolatey ensures cmake.exe is on your path.

Quick Setup

2.3.1. Install and Prepare Sources

Make sure everything works

It’s a good idea to make sure Wireshark compiles and runs at least once before you start hacking the Wireshark sources for your own project. This example uses Git Extensions but any other Git client should work as well.

Download sources Download Wireshark sources into C:\Development\wireshark using either the command line or Git Extensions:

Using the command line:

>cd C:\Development >git clone https://code.wireshark.org/review/wireshark

Using Git extensions:

1. Open the Git Extensions application. By default Git Extensions will show a validation checklist at

startup. If anything needs to be fixed do so now. You can bring up the checklist at any time via Tools # Settings.

2. In the main screen select Clone repository. Fill in the following:

Repository to clone: https://code.wireshark.org/review/wireshark

Destination: Your top-level development directory, e.g. C:\Development.

Subdirectory to create: Anything you’d like. Usually wireshark.

Check your paths

Make sure your repository path doesn’t contain spaces.

3. Click the Clone button. Git Extensions should start cloning the Wireshark repository.

2.3.2. Open a Visual Studio Command Prompt

From the Start Menu (or Start Screen), navigate to the Visual Studio 2013 → Visual Studio Tools directory and choose the Command Prompt appropriate for the build you wish to make, e.g. VS2013 x86 Native Tools Command Prompt for a 32-bit version, VS2013 x64 Native Tools Command Prompt for a 64-bit version.

Pin the items to the Task Bar

Pin the Command Prompt you use to the Task Bar for easy access.

All subsequent operations take place in this Command Prompt window.

1. Set environment variables to control the build.

Set the following environment variables, using paths and values suitable for your installation:

> set CYGWIN=nodosfilewarning > set WIRESHARK_BASE_DIR=C:\Development or set WIRESHARK_LIB_DIR to the appropriate library directory for your build. > set WIRESHARK_TARGET_PLATFORM=win32 or win64 as required

Quick Setup

> set QT5_BASE_DIR=C:\Qt\Qt5.5.0\5.5\msvc2013

> set WIRESHARK_VERSION_EXTRA=-YourExtraVersionInfo

If your Cygwin installation path is not automatically detected by CMake, you can explicitly specify it with the following environment variable:

> set WIRESHARK_CYGWIN_INSTALL_PATH=c:\cygwin or whatever other path that is applicable to your setup

If you are using a version of Visual Studio earlier than VS2012 then you must set an additional env var, e.g. for VS2010 set the following:

> set VisualStudioVersion=10.0

Setting these variables could be added to a batch file to be run after you open the Visual Studio Tools Command Prompt.

2. Create and change to the correct build directory. CMake is best used in an out-of-tree build configuration

where the build is done in a separate directory to the source tree, leaving the source tree in a pristine state. 32 and 64 bit builds require a separate build directory. Create (if required) and change to the appropriate build directory.

> mkdir C:\Development\wsbuild32 > cd C:\Development\wsbuild32

to create and jump into the build directory. The build directory can be deleted at any time and the build files regenerated as detailed in Section 2.3.3,

“Generate the build files”.

2.3.3. Generate the build files

CMake is used to process the CMakeLists.txt files in the source tree and produce build files appropriate for your system.

You can generate Visual Studio solution files to build either from within Visual Studio, or from the command line with MSBuild. CMake can also generate other build types but they aren’t supported.

The initial generation step is only required the first time a build directory is created. Subsequent builds will regenerate the build files as required.

If you’ve closed the Visual Studio Command Prompt prepare it again. To generate the build files enter the following at the Visual Studio command prompt:

> cmake -DENABLE_CHM_GUIDES=on -G "Visual Studio 12" ..\wireshark

Adjusting the paths as required to Python and the wireshark source tree. To use a different generator modify the -G parameter, cmake -G lists all the CMake supported generators, but only Visual Studio is supported for Wireshark builds.

To build an x64 version, the -G parameter must have a Win64 suffix, e.g. -G "Visual Studio 12 Win64" The CMake generation process will download the required 3rd party libraries (apart from Qt) as required,

then test each library for usability before generating the build files. At the end of the CMake generation process the following should be displayed:

-- Configuring done

-- Generating done

-- Build files have been written to: C:/Development/wsbuild32

If you get any other output, there is an issue in your envirnment that must be rectified before building. Check the parameters passed to CMake, especially the -G option and the path to the Wireshark sources and the environment variables WIRESHARK_BASE_DIR, WIRESHARK_TARGET_PLATFORM and QT5_BASE_DIR.

2.3.4. Build Wireshark

Now it’s time to build Wireshark!

1. If you’ve closed the Visual Studio Command Prompt prepare it again.

2. Run

> msbuild /m /p:Configuration=RelWithDebInfo Wireshark.sln

to build Wireshark.

3. Wait for Wireshark to compile. This will take a while, and there will be a lot of text output in the

command prompt window

4. For the QT version run C:\Development\wsbuild32\run\RelWithDebInfo

\Wireshark.exe and make sure it starts.

Quick Setup

5. For the older GTK version run C:\Development\wsbuild32\run\RelWithDebInfo

\wireshark-gtk.exe.

6. Open Help # About. If it shows your "private" program version, e.g.: Version 2.1.x-myprotocol123

congratulations! You have compiled your own version of Wireshark!

You may also open the Wireshark solution file (Wireshark.sln) in the Visual Studio IDE and build there.

Tip

If compilation fails for suspicious reasons after you changed some source files try to clean the build files by running msbuild /m /p:Configuration=RelWithDebInfo Wireshark.sln /t:Clean and then building the solution again.

The build files produced by CMake will regenerate themselves if required by changes in the source tree.

2.3.5. Debug Environment Setup

You can debug using the Visual Studio Debugger or WinDbg. See the section on using the Debugger Tools.

2.3.6. Optional: Create User’s and Developer’s Guide

Detailed information to build these guides can be found in the file docbook\README.txt in the Wireshark sources.

2.3.7. Optional: Create a Wireshark Installer

Note: You should have successfully built Wireshark before doing the following. If you want to build your own wireshark-win32-2.1.x-myprotocol123.exe, you’ll need NSIS.

Quick Setup

1. NSIS: Download and install NSIS

Note that the 32-bit version of NSIS will work for both 32-bit and 64-bit versions of Wireshark.

Note: If you do not yet have a copy of vcredist_x86.exe or vcredist_x64.exe in ./wireshark-winXX-libs (where XX is 32 or 64) you will need to download the appropriate file and place it in ./wireshark-winXXlibs before starting this step.

If building an x86 version using a Visual Studio "Express" edition or an x64 version with any edition, then you must have the appropriate vcredist file for your compiler in the support libraries directory (vcredist_x86.exe in wireshark-32-libs or vcredist_x64.exe in wireshark-win64-libs).

The files can be located in the Visual Studio install directory for non-Express edition builds, or downloaded from Microsoft for Expresss edition builds.

Note you must use the correct version of vcredist for your compiler, unfortunately they all have the same name (vcredist_x86.exe or vcredist_x64.exe). You can use Windows Explorer and examine the Properties >> Details tab for a vcredist file to determine which compiler version the file is for use with.

1. If you’ve closed the Visual Studio Command Prompt prepare it again.

2. Run

> msbuild /m /p:Configuration=RelWithDebInfo nsis_package_prep.vcxproj > msbuild /m /p:Configuration=RelWithDebInfo nsis_package.vcxproj

to build a Wireshark installer.

3. Run

> C:\Development\wireshark\packaging\nsis\wireshark-win32-wireshark-major-minor-version:[].x-myprotocol123.exe

to test your new installer. It’s a good idea to test on a different machine than the developer machine. Note that if you’ve built an x64 version, the installer will be named accordingly.

Chapter 3. Work with the Wireshark sources

3.1. Introduction

This chapter will explain how to work with the Wireshark source code. It will show you how to:

• Get the source

• Compile it on your machine

• Submit changes for inclusion in the official release

This chapter will not explain the source file contents in detail, such as where to find specific functionality. This is done in Section 7.1, “Source overview”.

3.2. The Wireshark Git repository

Git is used to keep track of the changes made to the Wireshark source code. The code is stored inside

Wireshark project’s Git repository located at a server at the wireshark.org domain. Changes to the official repository are managed using the Gerrit code review system. Gerrit makes it easy

to test and discuss changes before they are pushed to the main repository. For an overview of Gerrit see the Quick Introduction.

Why Git? Git is a fast, flexible way of managing source code. It allows large scale distributed development and ensures data integrity.

Why Gerrit? Gerrit makes it easy to contribute. You can sign in with any OpenID provider and push your changes. It’s usable from both the web and command line and is integrated with many popular tools.

Git is our third revision control system

Wireshark originally used Concurrent Versions System (CVS) and migrated to Subversion in July 2004. The Subversion repository was subsequently migrated to Git in January 2014.

Using Wireshark’s Git repository you can:

• Keep your private sources up to date with very little effort

• Get a mail notification when the official source code changes

• Get the source files from any previous release (or any other point in time)

• Have a quick look at the sources using a web interface

• See which person changed a specific piece of code

• and much more

3.2.1. The web interface to the Git repository

If you need a quick look at the Wireshark source code you can browse the most recent file versions in the master branch using Gitweb:

Work with the Wireshark sources

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=tree

You can also view commit logs, branches, tags, and past revisions:

https://code.wireshark.org/review/gitweb?p=wireshark.git

Like most revision control systems, Git uses branching to manage different copies of the source code and allow parallel development. Wireshark uses the following branches for official releases:

• master: Main feature development and odd-numbered "feature" releases.

• master-x.y: Stable release maintenance. For example, master-1.10 is used to manage the 1.10.x official releases.

3.3. Obtain the Wireshark sources

There are several ways to obtain the sources from Wireshark’s Git repository.

Check out from the master branch using Git.

Using Git is much easier than synchronizing your source tree by hand using any of the snapshot methods mentioned below. Git merges changes into your personal source tree in a very comfortable and quick way. So you can update your source tree several times a day without much effort.

Keep your sources up to date

The following ways to retrieve the Wireshark sources are sorted in decreasing source timeliness. If you plan to commit changes you’ve made to the sources, it’s a good idea to keep your private source tree as current as possible.

The age mentioned in the following sections indicates the age of the most recent change in that set of the sources.

3.3.1. Git over SSH or HTTPS

Recommended for development purposes.

Age: a few minutes.

You can use a Git client to download the source code from Wireshark’s code review system. Anyone can clone from the anonymous git URL:

• https://code.wireshark.org/review/wireshark

If you create a Gerrit account you can clone from an authenticated URL:

• ssh://your.username@code.wireshark.org:29418/wireshark

• https://your.username@code.wireshark.org/review/wireshark

SSH lets you use Gerrit on the command line. HTTP lets you access the repository in environments that block the Gerrit SSH port (29418). At the time of this writing (early 2014) we recommend that you use the SSH interface. However, this may change as more tools take advantage of Gerrit’s HTTP REST API.

Work with the Wireshark sources

The following example shows how to get up and running on the command line. See Section 4.13, “Git

client” for information on installing and configuring graphical Git and Gerrit clients.

1. Sign in to https://code.wireshark.org/review using OpenID (click Register or Sign In in the upper right

corner of the web page). Follow the login instructions.

2. In the upper right corner of the web page, click on your account name and select Settings.

3. Under Profile set a username. This will be the username that you use for SSH access. For the steps

below we’ll assume that your username is henry.perry.

4. Select SSH Public Keys and add one or more keys. You will typically upload a key for each computer

that you use.

5. Install git-review. This is an installable package in many Linux distributions. You can also install it as

a Python package. (This step isn’t strictly necessary but it makes working with Gerrit much easier.) To install it from Chocolatey run

# Make sure "Scripts" is in our path PS$>$env:path += ";C:\tools\python2\Scripts" PS$>choco install pip PS$>choco install git-review -source python

6. Now on to the command line. First, make sure git works:

$ git --version

7. If this is your first time using Git, make sure your username and email address are configured. This is

particularly important if you plan on uploading changes.

$ git config --global user.name "Henry Perry" $ git config --global user.email henry.perry@example.com

8. Next, clone the Wireshark master:

$ git clone ssh://henry.perry@code.wireshark.org:29418/wireshark

The checkout only has to be done once. This will copy all the sources of the latest version (including directories) from the server to your machine. This may take some time depending on the speed of your internet connection.

9. Then set up the git pre-commit hook and the push address:

$ cd wireshark $ cp tools/pre-commit .git/hooks/ $ git config --add remote.origin.push HEAD:refs/for/master

This will run a few basic checks on commit to make sure that the code does not contain trivial errors. It will also warn if it is out of sync with its master copy in the tools/ directory. The change in the push address is necessary: We have an asymmetric process for pulling and pushing because of gerrit.

10.Initialize git-review.

$ git review -s

This prepares your local repository for use with Gerrit, including installing the commit-msg hook script.

3.3.2. Git web interface

Recommended for informational purposes only, as only individual files can be downloaded.

Work with the Wireshark sources

Age: a few minutes (same as anonymous Git access).

The entire source tree of the Git repository is available via a web interface at https://code.wireshark.org/

review/gitweb?p=wireshark.git. You can view each revision of a particular file, as well as diffs between

different revisions. You can also download individual files but not entire directories.

3.3.3. Buildbot Snapshots

Recommended for development purposes, if direct Git access isn’t possible (e.g. because of a restrictive firewall).

Age: some number of minutes (a bit older than the Git access).

The Buildbot server will automatically start to generate a snapshot of Wireshark’s source tree after a source code change is committed. These snapshots can be found at https://www.wireshark.org/download/

automated/src/.

If Git access isn’t possible, e.g. if the connection to the server isn’t possible because of a corporate firewall, the sources can be obtained by downloading the Buildbot snapshots. However, if you are going to maintain your sources in parallel to the "official" sources for some time, it’s recommended to use the anonymous (or authenticated) Git access if possible (believe it, it will save you a lot of time).

3.3.4. Released sources

Recommended for building pristine packages.

Age: from days to weeks.

The official source releases can be found at https://www.wireshark.org/download.html. You should use these sources if you want to build Wireshark on your platform for with minimal or no changes, such Linux distribution packages.

The differences between the released sources and the sources in the Git repository will keep on growing until the next release is made. (At the release time, the released and latest Git repository versions are identical again :-).

3.4. Update the Wireshark sources

After you’ve obtained the Wireshark sources for the first time, you might want to keep them in sync with the sources at the upstream Git repository.

Take a look at the Buildbot first

As development evolves, the Wireshark sources are compilable most of the time — but not always. You should take a look at https://buildbot.wireshark.org/trunk/waterfall before fetching or pulling to make sure the builds are in good shape.

3.4.1. Update Using Git

After you clone Wireshark’s Git repository you can update by running

$ git status $ git pull

Work with the Wireshark sources

Depending on your preferences and work habits you might want to run git pull --rebase or git checkout -b my-topic-branch origin/master instead.

Fetching should only take a few seconds, even on a slow internet connection. It will update your local repository history with changes from the official repository. If you and someone else have changed the same file since the last update, Git will try to merge the changes into your private file (this works remarkably well).

3.4.2. Update Using Source Archives

There are several ways to download the Wireshark source code (as described in Section 3.3, “Obtain the

Wireshark sources”), but bringing the changes from the official sources into your personal source tree is

identical.

First of all, you will download the new .tar.bz2 file of the official sources the way you did it the first time.

If you haven’t changed anything in the sources, you could simply throw away your old sources and reinstall everything just like the first time. But be sure, that you really haven’t changed anything. It might be a good idea to simply rename the "old" dir to have it around, just in case you remember later that you really did change something before.

If you have changed your source tree, you have to merge the official changes since the last update into your source tree. You will install the content of the .tar.bz2 file into a new directory and use a good merge tool (e.g. http://winmerge.sourceforge.net/for Win32) to bring your personal source tree in sync with the official sources again.

This method can be problematic and can be much more difficult and error-prone than using Git.

3.5. Build Wireshark

The sources contain several documentation files. It’s a good idea to read these files first. After obtaining the sources, tools and libraries, the first place to look at is doc/README.developer. Inside you will find the latest information for Wireshark development for all supported platforms.

Build Wireshark before changing anything

It is a very good idea to first test your complete build environment (including running and debugging Wireshark) before making any changes to the source code (unless otherwise noted).

Building Wireshark for the first time depends on your platform.

3.5.1. Building on Unix

Run the autogen.sh script at the top-level wireshark directory to configure your build directory.

$ ./autogen.sh $ ./configure $ make

If you need to build with a non-standard configuration, you can run

$ ./configure --help

Work with the Wireshark sources

to see what options you have.

3.5.2. Win32 native

Follow the build procedure in Section 2.3.4, “Build Wireshark” to build Wireshark. After the build process has successfully finished, you should find a Wireshark.exe and some other

files in the run\RelWithDebInfo directory.

3.6. Run generated Wireshark

Tip!

An already installed Wireshark may interfere with your newly generated version in various ways. If you have any problems getting your Wireshark running the first time, it might be a good idea to remove the previously installed version first.

3.6.1. Unix/Linux

After a successful build you can run Wireshark right from the build directory. Still the program would need to know that it’s being run from the build directory and not from its install location. This has an impact on the directories where the program can find the other parts and relevant data files.

In order to run the Wireshark from the build directory set the environment variable WIRESHARK_RUN_FROM_BUILD_DIRECTORY and run Wireshark. If your platform is properly setup, your build directory and current working directory are not in your PATH, so the command line to launch Wireshark would be:

$ WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1 ./wireshark

There’s no need to run Wireshark as root user, you just won’t be able to capture. When you opt to run Wireshark this way, your terminal output can be informative when things don’t work as expected.

3.6.2. Win32 native

During the build all relevant program files are collected in a subdirectory run\RelWithDebInfo. You can run the program from there by launching the Wireshark.exe executable.

The older GTK based version is also available in the same subdirectory. You can run the program from there by launching the wireshark-gtk.exe executable.

3.7. Debug your generated Wireshark

3.7.1. Unix/Linux

When you want to investigate a problem with Wireshark you want to load the program into your debugger. But loading wireshark into debugger fails because of the libtool build environment. You’ll have to wrap loading wireshark into a libtool command:

$ libtool --mode=execute gdb wireshark

If you prefer a graphic debugger you can use the Data Display Debugger (ddd) instead of GNU debugger (gdb).

Work with the Wireshark sources

Additional traps can be set on GLib by setting the G_DEBUG environment variable:

$ G_DEBUG=fatal_criticals libtool --mode=execute ddd wireshark

See http://library.gnome.org/devel/glib/stable/glib-running.html

3.7.2. Win32 native

You can debug using the Visual Studio Debugger or WinDbg. See the section on using the Debugger Tools.

3.8. Make changes to the Wireshark sources

As the Wireshark developers are working on many different platforms, a lot of editors are used to develop Wireshark (emacs, vi, Microsoft Visual Studio and many, many others). There’s no "standard" or "default" development environment.

There are several reasons why you might want to change the Wireshark sources:

• Add support for a new protocol (a new dissector)

• Change or extend an existing dissector

• Fix a bug

• Implement a glorious new feature

The internal structure of the Wireshark sources will be described in Part II, “Wireshark Development”.

Ask the wireshark-dev mailing list before you start a new development task.

If you have an idea what you want to add or change it’s a good idea to contact the developer mailing list (see Section 1.7.5, “Mailing Lists”) and explain your idea. Someone else might already be working on the same topic, so a duplicated effort can be reduced. Someone might also give you tips that should be thought about (like side effects that are sometimes very hard to see).

3.9. Contribute your changes

If you have finished changing the Wireshark sources to suit your needs, you might want to contribute your changes back to the Wireshark community. You gain the following benefits by contributing your improvements:

• It’s the right thing to do. Other people who find your contributions useful will appreciate them, and you will know that you have helped people in the same way that the developers of Wireshark have helped you.

• You get free enhancements. By making your code public, other developers have a chance to make improvements, as there’s always room for improvements. In addition someone may implement advanced features on top of your code, which can be useful for yourself too.

• You save time and effort. The maintainers and developers of Wireshark will maintain your code as well, updating it when API changes or other changes are made, and generally keeping it in tune with what is happening with Wireshark. So if Wireshark is updated (which is done often), you can get a new

Work with the Wireshark sources

Wireshark version from the website and your changes will already be included without any effort for you.

There’s no direct way to push changes to the Git repository. Only a few people are authorised to actually make changes to the source code (check-in changed files). If you want to submit your changes, you should upload them to the code review system at https://code.wireshark.org/review. This requires you to set up git as described at Section 3.3.1, “Git over SSH or HTTPS”.

3.9.1. Some tips for a good patch

Some tips that will make the merging of your changes into Git much more likely (and you want exactly that, don’t you?):

• Use the latest Git sources. It’s a good idea to work with the same sources that are used by the other developers. This usually makes it much easier to apply your patch. For information about the different ways to get the sources, see Section 3.3, “Obtain the Wireshark sources”.

• Update your sources just before making a patch. For the same reasons as the previous point.

• Inspect your patch carefully. Run git diff and make sure you aren’t adding, removing, or omitting anything you shouldn’t.

• Find a good descriptive topic name for your patch. Short, specific names are preferred. snowcone- machine-protocol is good, your name or your company name isn’t.

• Don’t put unrelated things into one large patch. A few smaller patches are usually easier to apply (but also don’t put every changed line into a separate patch.

In general, making it easier to understand and apply your patch by one of the maintainers will make it much more likely (and faster) that it will actually be applied.

Please remember

Wireshark is a volunteer effort. You aren’t paying to have your code reviewed and integrated.

3.9.2. Code Requirements

The core maintainers have done a lot of work fixing bugs and making code compile on the various platforms Wireshark supports.

To ensure Wireshark’s source code quality, and to reduce the workload of the core maintainers, there are some things you should think about before submitting a patch.

Pay attention to the coding guidelines

Ignoring the code requirements will make it very likely that your patch will be rejected.

• Follow the Wireshark source code style guide. Just because something compiles on your platform, that doesn’t mean it’ll compile on all of the other platforms for which Wireshark is built. Wireshark runs on many platforms, and can be compiled with a number of different compilers. See Section 7.2, “Coding

Style”for details.

• Submit dissectors as built-in whenever possible. Developing a new dissector as a plugin is a good idea because compiling and testing is quicker, but it’s best to convert dissectors to the built-in style before submitting for check in. This reduces the number of files that must be installed with Wireshark and ensures your dissector will be available on all platforms.

Work with the Wireshark sources

This is no hard-and-fast rule though. Many dissectors are straightforward so they can easily be put into "the big pile", while some are ASN.1 based which takes a different approach, and some multiple source file dissectors are more suitable to be placed separately as plugins.

• Verify that your dissector code does not use prohibited or deprecated APIs. This can be done as follows:

$ perl <wireshark_root>/tools/checkAPIs.pl <source filename(s)>

• Fuzz test your changes! Fuzz testing is a very effective way to automatically find a lot of dissector related bugs. You’ll take a capture file containing packets affecting your dissector and the fuzz test will randomly change bytes in this file, so that unusual code paths in your dissector are checked. There are tools available to automatically do this on any number of input files, see: https://wiki.wireshark.org/

FuzzTesting for details.

3.9.3. Uploading your changes

When you’re satisfied with your changes (and obtained any necessary approval from your organization) you can upload them for review at https://code.wireshark.org/review. This requires a Gerrit Code Review account as described at Section 3.2, “The Wireshark Git repository”.

Changes should be pushed to a magical "refs/for" branch in Gerrit. For example, to upload your new Snowcone Machine Protocol dissector you could push to refs/for/master with the topic "snowconemachine":

$ git push ssh://my.username@code.wireshark.org:29418/wireshark HEAD:refs/for/master/snowcone-machine

The username my.username is the one which was given during registration with the review system. If you have git-review installed you can upload the change with a lot less typing:

# Note: The "-f" flag deletes your current branch. $ git review -f

You can push using any Git client. Many clients have support for Gerrit, either built in or via an additional module.

You might get one of the following responses to your patch request:

• Your patch is checked into the repository. Congratulations!

• You are asked to provide additional information, capture files, or other material. If you haven’t fuzzed your code, you may be asked to do so.

• Your patch is rejected. You should get a response with the reason for rejection. Common reasons include not following the style guide, buggy or insecure code, and code that won’t compile on other platforms. In each case you’ll have to fix each problem and upload another patch.

• You don’t get any response to your patch. Possible reason: All the core developers are busy (e.g., with their day jobs or family or other commitments) and haven’t had time to look at your patch. Don’t worry, if your patch is in the review system it won’t get lost.

If you’re concerned, feel free to add a comment to the patch or send an email to the developer’s list asking for status. But please be patient: most if not all of us do this in our spare time.

3.9.4. Backporting a change

When a bug is fixed in the master branch it might be desirable or necessary to backport the fix to a stable branch. You can do this in Git by cherry-picking the change from one branch to another. Suppose you

Work with the Wireshark sources

want to backport change 1ab2c3d4 from the master branch to master-1.10. Using "pure Git" commands you would do the following:

# Create a new topic branch for the backport. $ git checkout -b backport-g1ab2c3d4 origin/master-1.10

# Cherry-pick the change. Include a "cherry picked from..." line. $ git cherry-pick -x 1ab2c3d4

# If there are conflicts, fix them.

# Compile and test the change. $ make $ ...

# OPTIONAL: Add entries to docbook/release-notes.asciidoc. $ $EDITOR docbook/release-notes.asciidoc

# If you made any changes, update your commit: $ git commit --amend -a

# Upload the change to Gerrit $ git push ssh://my.username@code.wireshark.org:29418/wireshark HEAD:refs/for/master-1.10/backport-g1ab2c3d4

If you want to cherry-pick a Gerrit change ID (e.g. I5e6f7890) you can use git review -X I5e6f7890 instead of git cherry-pick and git review instead of git push as described

in the previous chapter.

3.10. Apply a patch from someone else

Sometimes you need to apply a patch to your private source tree. Maybe because you want to try a patch from someone on the developer mailing list, or you want to check your own patch before submitting.

Beware line endings

If you have problems applying a patch, make sure the line endings (CR/LF) of the patch and your source files match.

3.10.1. Using patch

Given the file new.diff containing a unified diff, the right way to call the patch tool depends on what the pathnames in new.diff look like. If they’re relative to the top-level source directory (for example, if a patch to prefs.c just has prefs.c as the file name) you’d run it as:

$ patch -p0 < new.diff

If they’re relative to a higher-level directory, you’d replace 0 with the number of higher-level directories in the path, e.g. if the names are wireshark.orig/prefs.c and wireshark.mine/prefs.c, you’d run it with:

$ patch -p1 < new.diff

If they’re relative to a subdirectory of the top-level directory, you’d run patch in that directory and run it with -p0.

If you run it without -pat all, the patch tool flattens path names, so that if you have a patch file with patches to Makefile.am and wiretap/Makefile.am, it’ll try to apply the first patch to the top-level Makefile.am and then apply the wiretap/Makefile.am patch to the top-level Makefile.am as well.

At which position in the filesystem should the patch tool be called?

Work with the Wireshark sources

If the pathnames are relative to the top-level source directory, or to a directory above that directory, you’d run it in the top-level source directory.

If they’re relative to a subdirectory — for example, if somebody did a patch to packet-ip.c and ran diff or git diff in the epan/dissectors directory — you’d run it in that subdirectory. It is preferred that people not submit patches like that, especially if they’re only patching files that exist in multiple directories such as Makefile.am.

3.11. Binary packaging

Delivering binary packages makes it much easier for the end-users to install Wireshark on their target system. This section will explain how the binary packages are made.

3.11.1. Debian: .deb packages

The Debian Package is built using dpkg-buildpackage, based on information found in the source tree under debian. See http://www.debian-administration.org/articles/336for a more in-depth discussion of the build process.

In the wireshark directory, type:

$ dpkg-buildpackage -rfakeroot -us -uc

to build the Debian Package.

3.11.2. Red Hat: .rpm packages

The RPM is built using rpmbuild (http://www.rpm.org/), which comes as standard on many flavours of Linux, including Red Hat and Fedora. The process creates a clean build environment in packaging/rpm/

BUILD every time the RPM is built. The settings controlling the build are in packaging/rpm/SPECS/ wireshark.spec.in. After editing the settings in this file, ./configure must be run again in the wireshark

directory to generate the actual specification script.

Careful with that configure setting

The SPEC file contains settings for the configure used to set the RPM build environment. These are mostly independent of any settings passed to the usual Wireshark ./configure. The exceptions to this rule are:

• The prefix given to configure --prefix is passed to rpmbuild.

• The selection of the GUI (Qt, Gtk+, or both) is passed to rpmbuild.

• The selection of whether to include Lua support is passed to rpmbuild.

In the wireshark directory, type:

$ make rpm-package

to build the RPM and source RPM. Once it is done, there will be a message stating where the built RPM can be found.

This might take a while

Because this does a clean build as well as constructing the package this can take quite a long time. Suggestion: add the following to your ~/.rpmmacros file to allow parallel builds:

Work with the Wireshark sources

%_smp_mflags -j %(grep -c processor /proc/cpuinfo)

Build requirements differ from run requirements

Building the RPM requires building a source distribution which itself requires the Qt development tools uic and moc. These can usually be obtained by installing the qt-devel package.

3.11.3. OS X: .dmg packages

The OS X Package is built using OS X packaging tools, based on information found in the source tree under packaging/macosx.

In the wireshark directory, type:

$ make osx-package

to build the OS X Package.

3.11.4. Win32: NSIS .exe installer

The Nullsoft Install System is a free installer generator for Win32 based systems; instructions how to install it can be found in Section 4.17, “Windows: NSIS (optional)”. NSIS is script based, you will find the Wireshark installer generation script at: packaging/nsis/wireshark.nsi.

When building with CMake you must first build the nsis_package_prep target, followed by the nsis_package target, e.g.

> msbuild /m /p:Configuration=RelWithDebInfo nsis_package_prep.vcxproj > msbuild /m /p:Configuration=RelWithDebInfo nsis_package.vcxproj

Splitting the packaging projects in this way allows for code signing.

This might take a while

Please be patient while the package is compressed. It might take some time, even on fast machines.

If everything went well, you will now find something like: wireshark-setup-2.1.0.exe in the packaging/ nsis directory in the source tree.

3.11.5. Win32: PortableApps .paf.exe package

PortableApps.com is an environment that lets users run popular applications from portable media such as flash drives and cloud drive services.

Install the PortableApps.com Platform. Install for ``all users``, which will place it in C: \PortableApps. Add the following apps:

• NSIS Portable (Unicode)

• PortableApps.com Installer

• PortableApps.com Launcher

• PortableApps.com AppCompactor

Work with the Wireshark sources

When building with CMake you must first build the nsis_package_prep target (which takes care of general packaging dependencies), followed by the portableapps_package target, e.g.

> msbuild /m /p:Configuration=RelWithDebInfo nsis_package_prep.vcxproj > msbuild /m /p:Configuration=RelWithDebInfo portableapps_package.vcxproj

This might take a while

Please be patient while the package is compressed. It might take some time, even on fast machines.

If everything went well, you will now find something like: WiresharkPortable_2.1.paf.exe in the packaging/portableapps directory.

Chapter 4. Tool Reference

4.1. Introduction

This chapter will provide you with information about the various tools needed for Wireshark development. None of the tools mentioned in this chapter are needed to run Wireshark; they are only needed to build it. Most of these tools have their roots on UNIX like platforms, but Windows ports are also available.

Therefore the tools are available in different "flavours":

• UNIX (or Windows Cygwin): the tools should be commonly available on the supported UNIX platforms, and for Windows platforms by using the Cygwin UNIX emulation

• Windows native: some tools are available as native Windows tools, no special emulation is required. Many of these tools can be installed (and updated) using Chocolatey, a Windows package manager similar to the Linux package managers apt-get or yum.

Follow the directions

Unless you know exactly what you are doing, you should strictly follow the recommendations given in Chapter 2, Quick Setup.

The following sections give a very brief description of what a particular tool is doing, how it is used in the Wireshark project and how it can be installed and tested.

Documentation for these tools is outside the scope of this document. If you need further information on using a specific tool you should find lots of useful information on the web, as these tools are commonly used. You can also get help for the UNIX based tools with toolname --help or the man page via man toolname.

You will find explanations of the tool usage for some of the specific development tasks in Chapter 3, Work

with the Wireshark sources.

4.2. Windows PowerShell

PowerShell 2.0 or later is required for building Wireshark and the NSIS package. Windows 7 and later include compatible versions.

www.microsoft.com/powershell

4.3. Chocolatey

Chocolatey is a Windows package manager that can be used to install (and update) many of the packages required for Wireshark development. Chocolatey can be obtained from the website or from a DOS command prompt:

C:\>@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

or a Powershell prompt:

Tool Reference

PS:\>iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))

4.4. Windows: Cygwin

Cygwin provides a lot of UNIX based tools on the Windows platform. It uses a UNIX emulation layer which might be a bit slower compared to the native Windows tools, but at an acceptable level. The installation and update is pretty easy and done through a single utility, setup-x86.exe for 32-bit Windows and setup-x86_64.exe for 64-bit Windows.

The native Windows tools will typically be a bit faster but more complicated to install, as you would have to download the tools from different web sites and install and configure them individually.

You must have Cygwin installed

As there’s no Windows native bash version available, at least a basic installation of Cygwin is required in any case. This may change in the future as packaging systems such as NuGet and Chocolatey mature.

Although Cygwin consists of several separate packages, the installation and update is done through a single utility, setup-x86.exe or setup-x86_64.exe, which acts similarly to other web based installers. Alternatively you can install Cygwin and its packages using Chocolatey.

4.4.1. Installing Cygwin using the Cygwin installer

You will find setup-x86.exe, for 32-bit systems, and setup-x86_64.exe, for 64-bit systems, at http://

www.cygwin.com/install.html. Click on the link for the appropriate setup utility to download it. After the

download completes, run it. All tools will be installed into one base folder. The default is C:\cygwin. The setup utility will ask you for some settings. The defaults should usually work well, at least initially. If, at the "Choose A Download Source" page, you use the default "Install from Internet" setting, you will

need to choose a download site at the "Choose A Download Site" page. See the list of mirror sites at http:

//cygwin.com/mirrors.html to choose a download site appropriate to your location.

At the "Select Packages" page, you’ll need to select some additional packages, which are not installed by default. Navigate to the required Category/Package row and click on the "Skip" item in the "New" column so it shows a version number for the required package.

After clicking the Next button several times the setup will then download and install the selected packages (this may take a while, depending on the package size).

Under: Start#Programs#Cygwin#Cygwin Bash Shell you should now be able to start a new Cygwin bash shell, which is similar to the standard Windows command line interpreters (command.com / cmd.exe) but much more powerful.

4.4.2. Add/Update/Remove Cygwin Packages

If you want to add, update, or remove packages later you can do so by running the setup utility again. At the "Select Packages" page, the entry in the "New" column will control what is done (or not) with the package. If a new version of a package is available, the new version number will be displayed, so it will be automatically updated. You can change the current setting by simply clicking at it, it will change between:

• A specific version number. This specific package version will be installed.

Tool Reference

• Skip. Not installed, no changes.

• Keep. Already installed, no changes.

• Uninstall. Uninstall this package.

• Reinstall. Reinstall this package.

4.4.3. Installing Cygwin using Chocolatey

Chocolatey supports Cygwin as an external package source. To install Cygwin itself run

PS$>choco install cygwin # You might also need to install cyg-get: PS$>choco install cyg-get

Chocolatey installs Cygwin in C:\tools\cygwin by default. One or more Cygwin packages can be installed using "-source cygwin":

PS$>choco install sed asciidoc -source cygwin

4.5. GNU compiler toolchain (UNIX only)

4.5.1. gcc (GNU compiler collection)

The GCC C compiler is available for most of the UNIX-like platforms. If GCC isn’t already installed or available as a package for your platform, you can get it at: http://

gcc.gnu.org/.

After correct installation, typing at the bash command line prompt:

$ gcc --version

should result in something like

gcc (Ubuntu 4.9.1-16ubuntu6) 4.9.1 Copyright (C) 2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Your version string may vary, of course.

4.5.2. gdb (GNU project debugger)

GDB is the debugger for the GCC compiler. It is available for many (if not all) UNIX-like platforms. If you don’t like debugging using the command line there are some GUI frontends for it available, most

notably GNU DDD. If gdb isn’t already installed or available as a package for your platform, you can get it at: http://

www.gnu.org/software/gdb/gdb.html.

After correct installation:

$ gdb --version

should result in something like:

Tool Reference

GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word".

Your version string may vary, of course.

4.5.3. ddd (GNU Data Display Debugger)

The GNU Data Display Debugger is a good GUI frontend for GDB (and a lot of other command line debuggers), so you have to install GDB first. It is available for many UNIX-like platforms.

If GNU DDD isn’t already installed or available as a package for your platform, you can get it at: http:

//www.gnu.org/software/ddd/.

4.5.4. make (GNU Make)

Note

GNU Make is available for most of the UNIX-like platforms.

If GNU Make isn’t already installed or available as a package for your platform, you can get it at: http:

//www.gnu.org/software/make/.

After correct installation:

$ make --version

should result in something like:

GNU Make 4.0 Built for x86_64-pc-linux-gnu Copyright (C) 1988-2013 Free Software Foundation, Inc. Licence GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

Your version string may vary, of course.

4.6. Microsoft compiler toolchain (Windows native)

To compile Wireshark on Windows using the Microsoft C/C++ compiler, you’ll need:

1. C compiler (cl.exe)

2. Assembler (ml.exe for 32-bit targets and ml64.exe for 64-bit targets)

Tool Reference

3. Linker (link.exe)

4. C runtime headers and libraries (e.g. stdio.h, msvcrt.lib)

5. Windows platform headers and libraries (e.g. windows.h, WSock32.lib)

6. HTML help headers and libraries (htmlhelp.h, htmlhelp.lib)

4.6.1. Toolchain Package Alternatives

The Wireshark 2.0.x releases are compiled using Microsoft Visual C++ 2013. The official Wireshark

1.12.x and 1.10.x releases are compiled using Microsoft Visual C++ 2010 SP1. The official 1.8 releases

were compiled using Microsoft Visual C++ 2010 SP1 as well. The official 1.6, 1.4, and 1.2 releases were compiled using Microsoft Visual C++ 2008 SP1. Other past releases, including the 1.0 branch, were compiled using Microsoft Visual C++ 6.0.

Using the release compilers is recommended for Wireshark development work. The older "Express Edition" compilers such as Visual C++ 2010 Express Edition SP1 can be used but

any PortableApps packages you create with them will require the installation of a separate Visual C ++ Redistributable package on any machine on which the PortableApps package is to be used. See

Section 4.6.4, “C-Runtime "Redistributable" Files” below for more details.

However, you might already have a different Microsoft C++ compiler installed. It should be possible to use any of the following with the considerations listed:

Visual C++ 2013 Community Edition

IDE + Debugger? Yes Purchase required? Free Download SDK required for 64-bit builds? No CMake Generator: Visual Studio 12

Visual C++ 2010 Express Edition

IDE + Debugger? Yes Purchase required? Free Download SDK required for 64-bit builds? Yes. CMake Generator: Visual Studio 10 Remarks Installers created using express editions require a C++ redistributable vcredist_x86.exe

(3MB free download) is required to build Wireshark-win32-2.1.x.exe, and

vcredist_x64.exe is required to build Wireshark-win64-2.1.x.exe. The version of vcredist_x86.exe or vcredist_x64.exe must match the version for your compiler including

any service packs installed for the compiler.]

Visual Studio 2010

IDE + Debugger? Yes Purchase required? Yes

SDK required for 64-bit builds? No

CMake Generator: Visual Studio 10

Remarks Building a 64-bit installer requires a a C++ redistributable

(vcredist_x86.exe).footnoteref[vcredist]

You can use Chocolatey to install Visual Studio, e.g:

PS:\> choco install VisualStudioCommunity2013

4.6.2. cl.exe (C Compiler)

The following table gives an overview of the possible Microsoft toolchain variants and their specific C compiler versions ordered by release date.

Compiler Package cl.exe _MSC_VER CRT DLL Visual Studio 2013 12.0 1800 msvcr120.dll Visual Studio 2010 10.0 1600 msvcr100.dll

After correct installation of the toolchain, typing at the Visual Studio Command line prompt (cmd.exe):

Tool Reference

> cl

should result in something like:

usage: cl [ option... ] filename... [ /link linkoption...

However, the version string may vary.

Documentation on the compiler can be found at Microsoft MSDN

4.6.3. link.exe (Linker)

After correct installation, typing at the Visual Studio Command line prompt (cmd.exe):

> link

should result in something like:

usage: LINK [options] [files] [@commandfile] ...

However, the version string may vary.

Documentation on the linker can be found at Microsoft MSDN

4.6.4. C-Runtime "Redistributable" Files

Please note: The following is not legal advice - ask your preferred lawyer instead. It’s the authors view and this view might be wrong.

Tool Reference

Depending on the Microsoft compiler version you use, some binary files coming from Microsoft might be required to be installed on Windows machine to run Wireshark. On a developer machine, the compiler setup installs these files so they are available - but they might not be available on a user machine!

This is especially true for the C runtime DLL (msvcr*.dll), which contains the implementation of ANSI and alike functions, e.g.: fopen(), malloc(). The DLL is named like: msvcr’version'.dll, an abbreviation for "MicroSoft Visual C Runtime". For Wireshark to work, this DLL must be available on the users machine.

Starting with MSVC7, it is necessary to ship the C runtime DLL (msvcr’version'.dll) together with the application installer somehow, as that DLL is possibly not available on the target system.

Make sure you’re allowed to distribute this file

The files to redistribute must be mentioned in the redist.txt file of the compiler package. Otherwise it can’t be legally redistributed by third parties like us.

The following MSDN link is recommended for the interested reader:

• Redistributing Visual C++ Files

In all cases where vcredist_x86.exe or vcredist_x64.exe is downloaded it should be downloaded to the directory into which the support libraries for Wireshark have been downloaded and installed. This directory is specified by the WIRESHARK_BASE_DIR or WIRESHARK_LIB_DIR environment variables. It need not, and should not, be run after being downloaded.

4.6.4.1. msvcr120.dll / vcredist_x86.exe / vcredist_x64.exe - Version

12.0 (2013)

There are three redistribution methods that MSDN mentions for MSVC 2013 (see: "Choosing a

Deployment Method"):

1. Using Visual C++ Redistributable Package. The Microsoft libraries are installed by copying

vcredist_x64.exe or vcredist_x86.exe to the target machine and executing it on that machine (MSDN recommends this for applications built with Visual Studio 2013)

2. Using Visual C++ Redistributable Merge Modules. (Loadable modules for building msi installers. Not

suitable for Wireshark’s NSIS based installer)

3. Install a particular Visual C++ assembly as a private assembly for the application. The Microsoft

libraries are installed by copying the folder content of Microsoft.VC120.CRT to the target directory (e.g. C:\Program Files\Wireshark)

To save installer size, and to make a portable version of Wireshark (which must be completely selfcontained, on a medium such as a flash drive, and not require that an installer be run to install anything on the target machine) possible, when building 32-bit Wireshark with MSVC2013, method 3 (copying the content of Microsoft.VC120.CRT) is used (this produces the smallest package).

4.6.5. Windows (Platform) SDK

The Windows Platform SDK (PSDK) or Windows SDK is a free (as in beer) download and contains platform specific headers and libraries (e.g. windows.h, WSock32.lib, etc.). As new Windows features evolve in time, updated SDK’s become available that include new and updated APIs.

When you purchase a commercial Visual Studio or use the Community Edition, it will include an SDK. The free Express (as in beer) downloadable C compiler versions (VC++ 2012 Express, VC++ 2012 Express,

Tool Reference

etc.) do not contain an SDK — you’ll need to download a PSDK in order to have the required C header files and libraries.

Older versions of the SDK should also work. However, the command to set the environment settings will be different, try search for SetEnv.* in the SDK directory.

4.6.6. HTML Help

HTML Help is used to create the User’s and Developer’s Guide in .chm format and to show the User’s Guide as the Wireshark "Online Help".

Both features are currently optional, and might be removed in future versions.

4.6.6.1. HTML Help Compiler (hhc.exe)

This compiler is used to generate a .chm file from a bunch of HTML files — in our case to generate the User’s and Developer’s Guide in .chm format.

The compiler is only available as the free (as in beer) "HTML Help Workshop" download. If you want to compile the guides yourself, you need to download and install this. If you don’t install it into the default directory, you may also have a look at the HHC_DIR setting in the file docbook/Makefile.

4.6.6.2. HTML Help Build Files (htmlhelp.c / htmlhelp.lib)

The files htmlhelp.c and htmlhelp.lib are required to be able to open .chm files from Wireshark and show the online help. Both files are part of the SDK (standalone (P)SDK or MSVC since 2002).

4.6.7. Debugger

Using a good debugger can save you a lot of development time. The debugger you use must match the C compiler Wireshark was compiled with, otherwise the debugger

will simply fail or you will only see a lot of garbage.

4.6.7.1. Visual Studio integrated debugger

You can use the integrated debugger of Visual Studio if your toolchain includes it. Open the solution in your build directory and build and debug as normal with a Visual Studio solution.

The normal build is an optimised release version so debugging can be a bit difficult as variables are optimised out into registers and the execution order of statements can jump around.

If you require a non-optimised version, then build using a debug configuration.

4.6.7.2. Debugging Tools for Windows

You can also use the Microsoft Debugging Tools for Windows toolkit, which is a standalone GUI debugger. Although it’s not that comfortable compared to debugging with the Visual Studio integrated debugger it can be helpful if you have to debug on a machine where an integrated debugger is not available.

You can get it free of charge from Microsoft in several ways, see the Debugging tools for Windows page. You can also use Chocolatey to install WinDbg:

PS:\> choco install windbg

Tool Reference

To debug Wireshark using WinDbg, open the built copy of Wireshark using the File → Open Executable… menu, i.e. C:\Development\wsbuild32\run\RelWithDebInfo\Wireshark.exe. To set a breakpoint open the required source file using the File → Open Source File… menu and then click on the required line and press F9. To run the program, press F5.

If you require a non-optimised version, then build using a debug configuration, e.g. msbuild /m / p:Configuration=Debug Wireshark.sln. The build products will be found in C:\Development \wsbuild32\run\RelWithDebInfo\.

4.7. bash

The bash shell is needed to run several shell scripts.

4.7.1. UNIX and Cygwin: GNU bash

The bash shell is available for most of the UNIX-like platforms and as the bash package from the Cygwin

setup.

If bash isn’t already installed or available as a package for your platform, you can get it at http://

www.gnu.org/software/bash/bash.html.

After correct installation, typing at the bash command line prompt:

$ bash --version

should result in something like:

However, the version string may vary.

4.7.2. Windows native:

This section not yet written

4.8. Python

Python is an interpreted programming language. The homepage of the Python project is http://python.org/. It is used to generate some source files. Python 2.5 or later (including Python 3) should work fine but Python 2.7 is recommended.

Python is either included or available as a package on most UNIX-like platforms. Windows packages and source are available at http://python.org/download/. The Cygwin Python package is not recommended since /usr/bin/python is a symbolic link, which causes confusion outside Cygwin.

You can also use Chocolatey to install Python:

PS:\> choco install Python2

Chocolatey installs Python 2 into C:\tools\python2 by default. You can verify your Python version by running

$ python --version

Tool Reference

on UNIX and Linux and

rem Official package C:> cd python27 C:Python27> python --version

rem Chocolatey C:> cd \tools\python2 C:\tools\python2> python --version

on Windows. You should see something like

Python 2.7.9

Your version string may vary of course.

4.9. Perl

Perl is an interpreted programming language. The homepage of the Perl project is http://www.perl.com. Perl is used to convert various text files into usable source code. Perl version 5.6 and above should work fine.

4.9.1. UNIX and Cygwin: Perl

Perl is available for most of the UNIX-like platforms and as the perl package from the Cygwin setup. If perl isn’t already installed or available as a package for your platform, you can get it at http://

www.perl.com/.

After correct installation, typing at the bash command line prompt:

$ perl --version

should result in something like:

This is perl, v5.8.7 built for cygwin-thread-multi-64int (with 1 registered patch, see perl -V for more detail)

Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on this system using `man perl' or `perldoc perl'. If you have access to the Internet, point your browser at http://www.perl.com/, the Perl Home Page.

However, the version string may vary.

4.10. sed

Sed it the streaming editor. It makes it easy for example to replace text inside a source code file. The Wireshark build process uses this to stamp version strings in various places.

4.10.1. UNIX and Cygwin: sed

Sed is available for most of the UNIX-like platforms and as the sed package from the Cygwin setup. It is also available via Chocolatey:

Tool Reference

PS$>choco install sed -source cygwin

If sed isn’t already installed or available as a package for your platform, you can get it at http://

directory.fsf.org/GNU/sed.html

After correct installation, typing at the bash command line prompt:

$ sed --version

should result in something like:

GNU sed version 4.1.5 Copyright (C) 2003 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, to the extent permitted by law.

However, the version string may vary.

4.10.2. Windows native: sed

A native Windows sed package can be obtained from http://gnuwin32.sourceforge.net/. The installation should be straightforward. A Chocolatey package (devbox-sed) is available but has not been tested.

4.11. Bison

Bison is a parser generator used for some of Wireshark’s file format support.

4.11.1. UNIX or Cygwin: bison

Bison is available for most UNIX-like platforms and as the bison package from Cygwin. See the next section for native Windows options.

If GNU Bison isn’t already installed or available as a package for your platform you can get it at: http://

www.gnu.org/software/bison/bison.html.

After correct installation running the following

$ bison --version

should result in something like:

bison (GNU Bison) 2.3 Written by Robert Corbett and Richard Stallman.

Your version string may vary.

4.11.2. Windows Native: Win flex-bison and bison

A native Windows version of bison is available in the winflexbison Chocolatey package. Note that the executable is named win_bison.

Native packages are available from other sources such as GnuWin. They aren’t officially supported but should work.

Tool Reference

4.12. Flex

Flex is a lexical analyzer generator used for Wireshark’s display filters, some file formats, and other features.

4.12.1. UNIX or Cygwin: flex

Flex is available for most UNIX-like platforms and as the flex package from Cygwin. See the next section for native Windows options.

If GNU flex isn’t already installed or available as a package for your platform you can get it at http://

www.gnu.org/software/flex/.

After correct installation running the following

$ flex --version

should result in something like:

flex version 2.5.4

Your version string may vary.

4.12.2. Windows Native: Win flex-bison and flex

A native Windows version of flex is available in the winflexbison Chocolatey package. Note that the executable is named win_flex.

PS:\>choco install winflexbison

Native packages are available from other sources such as GnuWin. They aren’t officially supported but should work.

4.13. Git client

The Wireshark project uses its own Git repository to keep track of all the changes done to the source code. Details about the usage of Git in the Wireshark project can be found in Section 3.2, “The Wireshark Git

repository”.

If you want to work with the source code and are planning to commit your changes back to the Wireshark community, it is recommended to use a Git client to get the latest source files. For detailed information about the different ways to obtain the Wireshark sources, see Section 3.3, “Obtain the Wireshark sources”.

You will find more instructions in Section 3.3.1, “Git over SSH or HTTPS” on how to use the Git client.

4.13.1. UNIX or Cygwin: git

Git is available for most of the UNIX-like platforms and as the Git package from the Cygwin setup If Git isn’t already installed or available as a package for your platform, you can get it at: http://git-

scm.com/.

After correct installation, typing at the bash command line prompt:

$ git --version

Tool Reference

should result in something like:

git version 1.8.3.4

Your version will likely be different.

4.13.2. Windows native: git

The Git command line tools for Windows can be found at http://git-scm.com/download/win and can also be installed using Chocolatey:

PS:\> choco install git

After correct installation, typing at the command line prompt (cmd.exe):

$ git --version

should result in something like:

git version 1.8.3.4

However, the version string may vary.

4.14. Git Powershell Extensions (optional)

A useful tool for command line git on Windows is PoshGit. Poshgit provides git command completion and alters the prompt to indicate the local working copy status. You can install it using Chocolatey:

PS:\>choco install poshgit

4.15. Git GUI client (optional)

Along with the traditional command-line client, several GUI clients are available for a number of platforms. See http://git-scm.com/downloads/guis for details.

4.16. patch (optional)

The patch utility is used to merge a diff file into your own source tree. This tool is only needed, if you want to apply a patch (diff file) from someone else (probably from the developer mailing list) to try out in your own private source tree.

It most cases you may not need the patch tool installed. Git and Gerrit should handle patches for you. You will find more instructions in Section 3.10, “Apply a patch from someone else”on how to use the

patch tool.

4.16.1. UNIX and Cygwin: patch

Patch is available for most of the UNIX-like platforms and as the patch package from the Cygwin setup. If GNU patch isn’t already installed or available as a package for your platform, you can get it at http://

www.gnu.org/software/patch/patch.html.

After correct installation, typing at the bash command line prompt:

$ patch --version

Tool Reference

should result in something like:

This program comes with NO WARRANTY, to the extent permitted by law. You may redistribute copies of this program under the terms of the GNU General Public License. For more information about these matters, see the file named COPYING.

written by Larry Wall and Paul Eggert

However, the version string may vary.

4.16.2. Windows native: patch

The Windows native Git tools provide patch. A native Windows patch package can be obtained from http:

//gnuwin32.sourceforge.net/. The installation should be straightforward.

4.17. Windows: NSIS (optional)

The NSIS (Nullsoft Scriptable Install System) is used to generate wireshark-win32-2.1.x.exe from all the files needed to be installed, including all required DLLs, plugins, and supporting files.

To install it, download the latest released version (currently 2.46) from http://nsis.sourceforge.net and start the downloaded installer. You will need NSIS version 2. Version 3 is not yet supported. You can also install it using Chocolatey:

PS$> choco install nsis

You can find more instructions on using NSIS in Section 3.11.4, “Win32: NSIS .exe installer”.

4.18. Windows: PortableApps (optional)

The PortableApps.com Installer is used to generate WiresharkPortable-2.1.paf.exe from all the files needed to be installed, including all required DLLs, plugins, and supporting files.

To install it, do the following:

• Download the latest PortableApps.com Platform release from http://portableapps.com/.

• Install the following applications in the PortableApps.com environment:

• PortableApps.com Installer

• PortableApps.com Launcher

• NSIS Portable (Unicode)

• PortableApps.com AppCompactor

You can find more instructions on using the PortableApps.com Installer in Section 3.11.5, “Win32:

PortableApps .paf.exe package”.

Chapter 5. Library Reference

5.1. Introduction

Several libraries are needed to build and run Wireshark. Most of them are split into three packages:

1. Runtime. System and third party libraries such as MSVCR110.dll and libglib-2.0-0.dll.

2. Developer. Documentation, header files, import libraries, and other files needed for compilation.

3. Source. Library sources, which are usually not required to build Wireshark.

Our libraries are freely available

All libraries required to build Wireshark on Windows are available for download at https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/ and https:

//anonsvn.wireshark.org/wireshark-win64-libs/trunk/packages/. See Section 5.3, “Win32: Automated library download” for an easier way to install them.

5.2. Binary library formats

Binary libraries are available in different formats, depending on the C compiler used to build it and of course the platform they were built for.

5.2.1. Unix

If you have installed unix binary libraries on your system, they will match the C compiler. If not already installed, the libraries should be available as a package from the platform installer, or you can download and compile the source and then install the binaries.

5.2.2. Win32: MSVC

Most of the Win32 binary libraries you will find on the web are in this format. You will recognize MSVC libraries by the .lib/.dll file extension.

5.2.3. Win32: cygwin gcc

Cygwin provides most of the required libraries (with file extension .a or .lib) for Wireshark suitable for cygwin’s gcc compiler.

5.3. Win32: Automated library download

The required libraries (apart from Qt) are automatically downloaded as part of the CMake generation step, and subsequently as required when libraries are updated.

The libraries are downloaded into the directory indicated by the environment variable WIRESHARK_BASE_DIR, this must be set appropriately for your environment. The libraries are downloaded and extracted into WIRESHARK_BASE_DIR\wireshark-win32-libs and WIRESHARK_BASE_DIR\wireshark-win64-libs for 32 and 64 bit builds respectively.

You may also directly set the library directory with the environment variable WIRESHARK_LIB_DIR, but if you switch between 32 bit and 64 bit builds, the value of this must be set appropriately.

5.4. Qt

The Qt library is used to build the UI for Wireshark and is used to provide a platform independent UI. For more information on the Qt libraries, see Section 12.2, “The Qt Application Framework”.

5.4.1. Unix

TBD.

5.4.2. Win32 MSVC

Qt5 must be installed manually, from the Qt installers page http://www.qt.io/download-open-source/

#section-2, using the version of Qt appropriate for your compiler. Note that separate installations

(into different directories) of Qt are required for 32 bit and 64 bit builds. The environment variable QT5_BASE_DIR should be set as appropriate for your environment and should point to the Qt directory that contains the bin directory, e.g. C:\Qt\Qt5.5.0\5.5\msvc2013

Library Reference

5.5. GTK+ / GLib / GDK / Pango / ATK / GNU gettext / GNU libiconv

The Glib library is used as a basic platform abstraction library, it’s not related to graphical user interface (GUI) things. For a detailed description about GLib, see Section 7.3, “The GLib library”.

The GTK and its dependent libraries are used to build the older, deprecated, Wireshark GUI. For a detailed description of the GTK libraries, see Section 12.3, “The GTK library”.

All other libraries are dependent on the two libraries mentioned above, you will typically not come in touch with these while doing Wireshark development.

As the requirements for the GLib/GTK libraries have increased in the past, the required additional libraries depend on the GLib/GTK versions you have. The 2.x versions require all mentioned libs.

5.5.1. Unix

The GLib/GTK+ libraries are available for many unix-like platforms and Cygwin.

If these libraries aren’t already installed and also aren’t available as a package for your platform, you can get them at http://www.gtk.org/download.html.

5.5.2. Win32 MSVC

You can get the latest version at http://www.gtk.org/download.html.

5.6. SMI (optional)

LibSMI is used for MIB and PIB parsing and for OID resolution.

5.6.1. Unix

If this library isn’t already installed or available as a package for your platform, you can get it at http://

www.ibr.cs.tu-bs.de/projects/libsmi/.

5.6.2. Win32 MSVC

Wireshark uses the source libSMI distribution at http://www.ibr.cs.tu-bs.de/projects/libsmi/. LibSMI is cross-compiled using MinGW32. It’s stored in the libsmi zip archive at https://anonsvn.wireshark.org/

wireshark-win32-libs/trunk/packages/.

5.7. c-ares (optional)

C-Ares is used for asynchronous DNS resolution. This is the primary name resolution library in Wireshark.

5.7.1. Unix

If this library isn’t already installed or available as a package for your platform, you can get it at http://

c-ares.haxx.se/.

Library Reference

5.7.2. Win32 MSVC

C-Ares is cross-compiled using MinGW32 and is available at https://anonsvn.wireshark.org/wireshark-

win32-libs/trunk/packages/.

5.8. zlib (optional)

zlib is designed to be a free, general-purpose, legally unencumbered — that is, not covered by any patents — lossless data-compression library for use on virtually any computer hardware and operating system.

— The zlib web site http://www.zlib.net/

5.8.1. Unix

This library is almost certain to be installed on your system. If it isn’t or you don’t want to use the default library you can download it from http://www.zlib.net/.

5.8.2. Win32 MSVC

The zlib sources are downloaded from https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/

packages/ and compiled locally.

5.9. libpcap/WinPcap (optional)

Libpcap and WinPcap provide that packet capture capabilities that are central to Wireshark’s core functionality.

5.9.1. Unix: libpcap

If this library isn’t already installed or available as a package for your platform, you can get it at http://

www.tcpdump.org/.

Library Reference

5.9.2. Win32 MSVC: WinPcap

You can get the "Windows packet capture library" at: https://www.winpcap.org/install/

5.10. GnuTLS (optional)

The GNU Transport Layer Security Library is used to dissect SSL and TLS protocols (aka: HTTPS).

5.10.1. Unix

If this library isn’t already installed or available as a package for your platform, you can get it at https://

www.gnu.org/software/gnutls/download.html.

5.10.2. Win32 MSVC

We provide a package cross-compiled using MinGW32 at https://anonsvn.wireshark.org/wireshark-

win32-libs/trunk/packages/.

5.11. Gcrypt (optional)

The Gcrypt Library is a low-level encryption library that provides support for many ciphers, such as DES, 3DES, AES, Blowfish, and others..

5.11.1. Unix

If this library isn’t already installed or available as a package for your platform, you can get it at https:

//directory.fsf.org/wiki/Libgcrypt.

5.11.2. Win32 MSVC

Part of our GnuTLS package.

5.12. Kerberos (optional)

The Kerberos library is used to dissect Kerberos, sealed DCERPC and secureLDAP protocols.

5.12.1. Unix

If this library isn’t already installed or available as a package for your platform, you can get it at http://

web.mit.edu/Kerberos/dist/.

5.12.2. Win32 MSVC

We provide a package at https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/.

5.13. LUA (optional)

The LUA library is used to add scripting support to Wireshark.

Library Reference

5.13.1. Unix

If this library isn’t already installed or available as a package for your platform, you can get it at http://

www.lua.org/download.html.

5.13.2. Win32 MSVC

We provide a copy of the official package at https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/

packages/.

5.14. PortAudio (optional)

The PortAudio library enables audio output for RTP streams.

5.14.1. Unix

If this library isn’t already installed or available as a package for your platform, you can get it at http://

www.portaudio.com/download.html.

5.14.2. Win32 MSVC

The PortAudio sources are downloaded from https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/

packages/ and compiled locally.

5.15. GeoIP (optional)

MaxMind Inc. publishes a GeoIP database for use in open source software. It can be used to map IP addresses to geographical locations.

5.15.1. Unix

If this library isn’t already installed or available as a package for your platform, you can get it at http://

www.maxmind.com/app/c.

5.15.2. Win32 MSVC

We provide a package cross-compiled using MinGW32 at https://anonsvn.wireshark.org/wireshark-

win32-libs/trunk/packages/.

5.16. WinSparkle (optional)

WinSparkle is an easy-to-use software update library for Windows developers.

5.16.1. Win32 MSVC

We provide a copy of the WinSparkle package at https://anonsvn.wireshark.org/wireshark-win32-libs/

trunk/packages/.

Part II. Wireshark Development

Wireshark Development

The second part describes how the Wireshark sources are structured and how to change the sources such as adding a new dissector.

Chapter 6. How Wireshark Works

6.1. Introduction

This chapter will give you a short overview of how Wireshark works.

6.2. Overview

The following will give you a simplified overview of Wireshark’s function blocks:

Figure 6.1. Wireshark function blocks

This image is out of date. It is missing the utility library in wsutil and the Qt UI in ui/qt.

The function blocks in more detail: GTK+ 2:: Handling of all user input/output (all windows, dialogs and such). Source code can be found in the ui/gtk directory.

Core Main "glue code" that holds the other blocks together. Source code can

be found in the root directory.

Epan Ethereal Packet ANalyzer —the packet analyzing engine. Source code

can be found in the epan directory. Epan provides the following APIs:

• Protocol Tree. Dissection information for an individual packet.

• Dissectors. The various protocol dissectors in epan/dissectors.

• Dissector Plugins - Support for implementing dissectors as separate modules. Source code can be found in plugins.

• Display Filters - The display filter engine at epan/dfilter.

Wiretap The wiretap library is used to read and write capture files in libpcap,

pcapng, and many other file formats. Source code is in the wiretap directory.

Capture The interface with the capture engine. Source code is in the root

directory.

Dumpcap The capture engine itself. This is the only part that is to execute with

elevated privileges. Source code is in the root directory.

WinPcap and libpcap These are separate libraries that provide packet capture and filtering

support on different platforms. The filtering WinPcap and libpcap works at a much lower level than Wireshark’s display filters and uses a significantly different mechanism. That’s why we have different display and capture filter syntaxes.

How Wireshark Works

6.3. Capturing packets

Capturing takes packets from a network adapter and saves them to a file on your hard disk. Since raw network adapter access requires elevated privileges these functions are isolated into the

dumpcap program. It’s only this program that needs these privileges, allowing the main part of the code (dissectors, user interface, etc) to run with normal user privileges.

To hide all the low-level machine dependent details from Wireshark, the libpcap and WinPcap (see

Section 5.9, “libpcap/WinPcap (optional)”) libraries are used. These libraries provide a general purpose

interface to capture packets and are used by a wide variety of applications.

6.4. Capture Files

Wireshark can read and write capture files in its natural file formats, pcapng and pcap, which are used by many other network capturing tools, such as tcpdump. In addition to this, as one of its strengths, Wireshark can read and write files in many different file formats of other network capturing tools. The wiretap library, developed together with Wireshark, provides a general purpose interface to read and write all the file formats. If you need to add support for another capture file format this is the place to start.

6.5. Dissect packets

While Wireshark is loading packets from a file each packet is dissected. Wireshark tries to detect the packet type and gets as much information from the packet as possible. In this run though, only the information shown in the packet list pane is needed.

As the user selects a specific packet in the packet list pane this packet will be dissected again. This time, Wireshark tries to get every single piece of information and put it into the packet details pane.

Chapter 7. Introduction

7.1. Source overview

Wireshark consists of the following major parts:

• Packet dissection - in the /epan/dissector and /plugin/* directories

• File I/O - using Wireshark’s own wiretap library

• Capture - using the libpcap/winpcap library, in /wiretap

• User interface - using the Qt or GTK+ and associated libraries

• Utilities - miscellaneous helper code

• Help - using an external web browser and GTK text output

7.2. Coding Style

The coding style guides for Wireshark can be found in the "Code style" section of the file doc/ README.developer.

7.3. The GLib library

Glib is used as a basic platform abstraction library. It doesn’t provide any direct GUI functionality. To quote the Glib Reference Manual:

GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.

GLib contains lots of useful things for platform independent development. See https://

developer.gnome.org/glib/ for details about GLib.

Chapter 8. Packet capturing

This chapter needs to be reviewed and extended.

8.1. How to add a new capture type to libpcap

The following is an updated excerpt from a developer mailing list mail about adding ISO 9141 and 14230 (simple serial line card diagnostics) to Wireshark:

For libpcap, the first thing you’d need to do would be to get DLT_* values for all the link-layer protocols you’d need. If ISO 9141 and 14230 use the same link-layer protocol, they might be able to share a DLT_* value, unless the only way to know what protocols are running above the link layer is to know which linklayer protocol is being used, in which case you might want separate DLT_* values.

For the rest of the libpcap discussion, I’ll assume you’re working with libpcap 1.0 or later and that this is on a UN*X platform. You probably don’t want to work with a version older than 1.0, even if whatever OS you’re using happens to include libpcap - older versions are not as friendly towards adding support for devices other than standard network interfaces.

Then you’d probably add to the pcap_open_live() routine, for whatever platform or platforms this code should work, something such as a check for device names that look like serial port names and, if the check succeeds, a call to a routine to open the serial port.

See, for example, the #ifdef HAVE_DAG_API code in pcap-linux.c and pcap-bpf.c. The serial port open routine would open the serial port device, set the baud rate and do anything else needed

to open the device. It’d allocate a pcap_t, set its fd member to the file descriptor for the serial device, set the snapshot member to the argument passed to the open routine, set the linktype member to one of the DLT_* values, and set the selectable_fd member to the same value as the fd member. It should also set the dlt_count member to the number of DLT_* values to support, and allocate an array of dlt_count u_int+s, assign it to the +dlt_list member, and fill in that list with all the DLT_* values.

You’d then set the various *_op fields to routines to handle the operations in question. read_op is the routine that’d read packets from the device. inject_op would be for sending packets; if you don’t care about that, you’d set it to a routine that returns an error indication. setfilter_op can probably just be set to install_bpf_program. set_datalink would just set the linktype member to the specified value if it’s one of the values for OBD, otherwise it should return an error. getnonblock_op can probably be set to pcap_getnonblock_fd. setnonblock_op can probably be set to pcap_setnonblock_fd. stats_op would be set to a routine that reports statistics. close_op can probably be set to pcap_close_common.

If there’s more than one DLT_* value, you definitely want a set_datalink routine so that the user can select the appropriate link-layer type.

For Wireshark, you’d add support for those DLT_* values to wiretap/libpcap.c, which might mean adding one or more WTAP_ENCAP types to wtap.h and to the encap_table[] table in wiretap/wtap.c. You’d then have to write a dissector or dissectors for the link-layer protocols or protocols and have them register themselves with the wtap_encap dissector table, with the appropriate WTAP_ENCAP values by calling dissector_add_uint().

Chapter 9. Packet dissection

9.1. How it works

Each dissector decodes its part of the protocol, and then hands off decoding to subsequent dissectors for an encapsulated protocol.

Every dissection starts with the Frame dissector which dissects the packet details of the capture file itself (e.g. timestamps). From there it passes the data on to the lowest-level data dissector, e.g. the Ethernet dissector for the Ethernet header. The payload is then passed on to the next dissector (e.g. IP) and so on. At each stage, details of the packet will be decoded and displayed.

Dissection can be implemented in two possible ways. One is to have a dissector module compiled into the main program, which means it’s always available. Another way is to make a plugin (a shared library or DLL) that registers itself to handle dissection.

There is little difference in having your dissector as either a plugin or built-in. On the Windows platform you have limited function access through the ABI exposed by functions declared as WS_DLL_PUBLIC.

The big plus is that your rebuild cycle for a plugin is much shorter than for a built-in one. So starting with a plugin makes initial development simpler, while the finished code may make more sense as a built-in dissector.

Read README.dissector

The file doc/README.dissector contains detailed information about implementing a dissector. In many cases it is more up to date than this document.

9.2. Adding a basic dissector

Let’s step through adding a basic dissector. We’ll start with the made up "foo" protocol. It consists of the following basic items.

• A packet type - 8 bits, possible values: 1 - initialisation, 2 - terminate, 3 - data.

• A set of flags stored in 8 bits, 0x01 - start packet, 0x02 - end packet, 0x04 - priority packet.

• A sequence number - 16 bits.

• An IPv4 address.

9.2.1. Setting up the dissector

The first decision you need to make is if this dissector will be a built-in dissector, included in the main program, or a plugin.

Plugins are the easiest to write initially, so let’s start with that. With a little care, the plugin can be made to run as a built-in easily too so we haven’t lost anything.

Example 9.1. Dissector Initialisation.

#include "config.h"

Packet dissection

#include <epan/packet.h>

#define FOO_PORT 1234

static int proto_foo = -1;

void proto_register_foo(void) { proto_foo = proto_register_protocol ( "FOO Protocol", /* name */ "FOO", /* short name */ "foo" /* abbrev */ ); }

Let’s go through this a bit at a time. First we have some boilerplate include files. These will be pretty constant to start with.

Next we have an int that is initialised to -1 that records our protocol. This will get updated when we register this dissector with the main program. It’s good practice to make all variables and functions that aren’t exported static to keep name space pollution down. Normally this isn’t a problem unless your dissector gets so big it has to span multiple files.

Then a #define for the UDP port that carries foo traffic. Now that we have the basics in place to interact with the main program, we’ll start with two protocol

dissector setup functions. First we’ll call proto_register_protocol() which registers the protocol. We can give it three

names that will be used for display in various places. The full and short name are used in e.g. the "Preferences" and "Enabled protocols" dialogs as well as the generated field name list in the documentation. The abbreviation is used as the display filter name.

Next we need a handoff routine.

Example 9.2. Dissector Handoff.

void proto_reg_handoff_foo(void) { static dissector_handle_t foo_handle;

foo_handle = create_dissector_handle(dissect_foo, proto_foo); dissector_add_uint("udp.port", FOO_PORT, foo_handle); }

What’s happening here? We are initialising the dissector. First we create a dissector handle; It is associated with the foo protocol and with a routine to be called to do the actual dissecting. Then we associate the handle with a UDP port number so that the main program will know to call us when it gets UDP traffic on that port.

The standard Wireshark dissector convention is to put proto_register_foo() and proto_reg_handoff_foo() as the last two functions in the dissector source.

Now at last we get to write some dissecting code. For the moment we’ll leave it as a basic placeholder.

Example 9.3. Dissection.

static void

Packet dissection

dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); /* Clear out stuff in the info column */ col_clear(pinfo->cinfo,COL_INFO); }

This function is called to dissect the packets presented to it. The packet data is held in a special buffer referenced here as tvb. We shall become fairly familiar with this as we get deeper into the details of the protocol. The packet info structure contains general data about the protocol, and we can update information here. The tree parameter is where the detail dissection takes place.

For now we’ll do the minimum we can get away with. In the first line we set the text of this to our protocol, so everyone can see it’s being recognised. The only other thing we do is to clear out any data in the INFO column if it’s being displayed.

At this point we should have a basic dissector ready to compile and install. It doesn’t do much at present, other than identify the protocol and label it.

In order to compile this dissector and create a plugin a couple of support files are required, besides the dissector source in packet-foo.c:

• Makefile.am - The UNIX/Linux makefile template.

• Makefile.common - Contains the file names of this plugin.

• CMakeLists.txt - Contains the CMake file and version info for this plugin.

• moduleinfo.h - Contains plugin version information.

• packet-foo.c - Your dissector source.

• plugin.rc.in - Contains the DLL resource template for Windows. You can find a good example for these files in the gryphon plugin directory. Makefile.common and

Makefile.am have to be modified to reflect the relevant files and dissector name. CMakeLists.txt has to be modified with the correct plugin name and version info, along with the relevant files to compile. In the main top-level source directory, copy CMakeListsCustom.txt.example to CMakeCustomLists.txt and add the path of your plugin to the list in CUSTOM_PLUGIN_SRC_DIR.

Compile the dissector to a DLL or shared library and either run Wireshark from the build directory as detailed in Section 3.6, “Run generated Wireshark” or copy the plugin binary into the plugin directory of your Wireshark installation and run that.

9.2.2. Dissecting the details of the protocol

Now that we have our basic dissector up and running, let’s do something with it. The simplest thing to do to start with is to just label the payload. This will allow us to set up some of the parts we will need.

The first thing we will do is to build a subtree to decode our results into. This helps to keep things looking nice in the detailed display. Now the dissector is called in two different cases. In one case it is called to get a summary of the packet, in the other case it is called to look into details of the packet. These two cases can be distinguished by the tree pointer. If the tree pointer is NULL, then we are being asked for a summary. If it is non NULL, we can pick apart the protocol for display. So with that in mind, let’s enhance our dissector.

Example 9.4. Plugin Packet Dissection.

static void

Packet dissection

dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {

col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); /* Clear out stuff in the info column */ col_clear(pinfo->cinfo,COL_INFO);

if (tree) { /* we are being asked for details */ proto_item *ti = NULL; ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); } }

What we’re doing here is adding a subtree to the dissection. This subtree will hold all the details of this protocol and so not clutter up the display when not required.

We are also marking the area of data that is being consumed by this protocol. In our case it’s all that has been passed to us, as we’re assuming this protocol does not encapsulate another. Therefore, we add the new tree node with proto_tree_add_item(), adding it to the passed in tree, label it with the protocol, use the passed in tvb buffer as the data, and consume from 0 to the end (-1) of this data. ENC_NA ("not applicable") is specified as the "encoding" parameter.

After this change, there should be a label in the detailed display for the protocol, and selecting this will highlight the remaining contents of the packet.

Now let’s go to the next step and add some protocol dissection. For this step we’ll need to construct a couple of tables that help with dissection. This needs some additions to the proto_register_foo() function shown previously.

Two statically allocated arrays are added at the beginning of proto_register_foo(). The arrays are then registered after the call to proto_register_protocol().

Example 9.5. Registering data structures.

void proto_register_foo(void) { static hf_register_info hf[] = { { &hf_foo_pdu_type, { "FOO PDU Type", "foo.type", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL } } };

/* Setup protocol subtree array */ static gint *ett[] = { &ett_foo };

proto_foo = proto_register_protocol ( "FOO Protocol", /* name */ "FOO", /* short name */ "foo" /* abbrev */ );

proto_register_field_array(proto_foo, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); }

The variables hf_foo_pdu_type and ett_foo also need to be declared somewhere near the top of the file.

Packet dissection

Example 9.6. Dissector data structure globals.

static int hf_foo_pdu_type = -1;

static gint ett_foo = -1;

Now we can enhance the protocol display with some detail.

Example 9.7. Dissector starting to dissect the packets.

if (tree) { /* we are being asked for details */ proto_item *ti = NULL; proto_tree *foo_tree = NULL;

ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); foo_tree = proto_item_add_subtree(ti, ett_foo); proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, 0, 1, ENC_BIG_ENDIAN); }

Now the dissection is starting to look more interesting. We have picked apart our first bit of the protocol. One byte of data at the start of the packet that defines the packet type for foo protocol.

The proto_item_add_subtree() call has added a child node to the protocol tree which is where we will do our detail dissection. The expansion of this node is controlled by the ett_foo variable. This remembers if the node should be expanded or not as you move between packets. All subsequent dissection will be added to this tree, as you can see from the next call. A call to proto_tree_add_item() in the foo_tree, this time using the hf_foo_pdu_type to control the formatting of the item. The pdu type is one byte of data, starting at 0. We assume it is in network order (also called big endian), so that is why we use ENC_BIG_ENDIAN. For a 1-byte quantity, there is no order issue, but it is good practice to make this the same as any multibyte fields that may be present, and as we will see in the next section, this particular protocol uses network order.

If we look in detail at the hf_foo_pdu_type declaration in the static array we can see the details of the definition.

• hf_foo_pdu_type - The index for this node.

• FOO PDU Type - The label for this item.

• foo.type - This is the filter string. It enables us to type constructs such as foo.type=1 into the filter box.

• FT_UINT8 - This specifies this item is an 8bit unsigned integer. This tallies with our call above where we tell it to only look at one byte.

• BASE_DEC - Tor an integer type, this tells it to be printed as a decimal number. It could be hexadecimal (BASE_HEX) or octal (BASE_OCT) if that made more sense.

We’ll ignore the rest of the structure for now. If you install this plugin and try it out, you’ll see something that begins to look useful. Now let’s finish off dissecting the simple protocol. We need to add a few more variables to the hfarray,

and a couple more procedure calls.

Example 9.8. Wrapping up the packet dissection.

... static int hf_foo_flags = -1;

Packet dissection

static int hf_foo_sequenceno = -1; static int hf_foo_initialip = -1; ...

static void dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { gint offset = 0;

...

if (tree) { /* we are being asked for details */ proto_item *ti = NULL; proto_tree *foo_tree = NULL;

ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); foo_tree = proto_item_add_subtree(ti, ett_foo); proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN); offset += 1; proto_tree_add_item(foo_tree, hf_foo_flags, tvb, offset, 1, ENC_BIG_ENDIAN); offset += 1; proto_tree_add_item(foo_tree, hf_foo_sequenceno, tvb, offset, 2, ENC_BIG_ENDIAN); offset += 2; proto_tree_add_item(foo_tree, hf_foo_initialip, tvb, offset, 4, ENC_BIG_ENDIAN); offset += 4; } ... }

void proto_register_foo(void) { ... ... { &hf_foo_flags, { "FOO PDU Flags", "foo.flags", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL } }, { &hf_foo_sequenceno, { "FOO PDU Sequence Number", "foo.seqn", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { &hf_foo_initialip, { "FOO PDU Initial IP", "foo.initialip", FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } }, ... ... } ...

This dissects all the bits of this simple hypothetical protocol. We’ve introduced a new variable offsetinto the mix to help keep track of where we are in the packet dissection. With these extra bits in place, the whole protocol is now dissected.

9.2.3. Improving the dissection information

We can certainly improve the display of the protocol with a bit of extra data. The first step is to add some text labels. Let’s start by labeling the packet types. There is some useful support for this sort of thing by adding a couple of extra things. First we add a simple table of type to name.

Packet dissection

Example 9.9. Naming the packet types.

static const value_string packettypenames[] = { { 1, "Initialise" }, { 2, "Terminate" }, { 3, "Data" }, { 0, NULL } };

This is a handy data structure that can be used to look up a name for a value. There are routines to directly access this lookup table, but we don’t need to do that, as the support code already has that added in. We just have to give these details to the appropriate part of the data, using the VALS macro.

Example 9.10. Adding Names to the protocol.

{ &hf_foo_pdu_type, { "FOO PDU Type", "foo.type", FT_UINT8, BASE_DEC, VALS(packettypenames), 0x0, NULL, HFILL } }

This helps in deciphering the packets, and we can do a similar thing for the flags structure. For this we need to add some more data to the table though.

Example 9.11. Adding Flags to the protocol.

#define FOO_START_FLAG 0x01 #define FOO_END_FLAG 0x02 #define FOO_PRIORITY_FLAG 0x04

static int hf_foo_startflag = -1; static int hf_foo_endflag = -1; static int hf_foo_priorityflag = -1;

static void dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { ... ... proto_tree_add_item(foo_tree, hf_foo_flags, tvb, offset, 1, ENC_BIG_ENDIAN); proto_tree_add_item(foo_tree, hf_foo_startflag, tvb, offset, 1, ENC_BIG_ENDIAN); proto_tree_add_item(foo_tree, hf_foo_endflag, tvb, offset, 1, ENC_BIG_ENDIAN); proto_tree_add_item(foo_tree, hf_foo_priorityflag, tvb, offset, 1, ENC_BIG_ENDIAN); offset += 1; ... ... }

void proto_register_foo(void) { ... ... { &hf_foo_startflag, { "FOO PDU Start Flags", "foo.flags.start", FT_BOOLEAN, 8, NULL, FOO_START_FLAG, NULL, HFILL } }, { &hf_foo_endflag, { "FOO PDU End Flags", "foo.flags.end", FT_BOOLEAN, 8, NULL, FOO_END_FLAG, NULL, HFILL } },

Packet dissection

{ &hf_foo_priorityflag, { "FOO PDU Priority Flags", "foo.flags.priority", FT_BOOLEAN, 8, NULL, FOO_PRIORITY_FLAG, NULL, HFILL } }, ... ... } ...

Some things to note here. For the flags, as each bit is a different flag, we use the type FT_BOOLEAN, as the flag is either on or off. Second, we include the flag mask in the 7th field of the data, which allows the system to mask the relevant bit. We’ve also changed the 5th field to 8, to indicate that we are looking at an 8 bit quantity when the flags are extracted. Then finally we add the extra constructs to the dissection routine. Note we keep the same offset for each of the flags.

This is starting to look fairly full featured now, but there are a couple of other things we can do to make things look even more pretty. At the moment our dissection shows the packets as "Foo Protocol" which whilst correct is a little uninformative. We can enhance this by adding a little more detail. First, let’s get hold of the actual value of the protocol type. We can use the handy function tvb_get_guint8() to do this. With this value in hand, there are a couple of things we can do. First we can set the INFO column of the non-detailed view to show what sort of PDU it is - which is extremely helpful when looking at protocol traces. Second, we can also display this information in the dissection window.

Example 9.12. Enhancing the display.

static void dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { guint8 packet_type = tvb_get_guint8(tvb, 0);

col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO"); /* Clear out stuff in the info column */ col_clear(pinfo->cinfo,COL_INFO); col_add_fstr(pinfo->cinfo, COL_INFO, "Type %s", val_to_str(packet_type, packettypenames, "Unknown (0x%02x)"));

if (tree) { /* we are being asked for details */ proto_item *ti = NULL; proto_tree *foo_tree = NULL; gint offset = 0;

ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA); proto_item_append_text(ti, ", Type %s", val_to_str(packet_type, packettypenames, "Unknown (0x%02x)")); foo_tree = proto_item_add_subtree(ti, ett_foo); proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN); offset += 1; } }

So here, after grabbing the value of the first 8 bits, we use it with one of the built-in utility routines val_to_str(), to lookup the value. If the value isn’t found we provide a fallback which just prints the value in hex. We use this twice, once in the INFO field of the columns —if it’s displayed, and similarly we append this data to the base of our dissecting tree.

9.3. How to handle transformed data

Some protocols do clever things with data. They might possibly encrypt the data, or compress data, or part of it. If you know how these steps are taken it is possible to reverse them within the dissector.

Packet dissection

As encryption can be tricky, let’s consider the case of compression. These techniques can also work for other transformations of data, where some step is required before the data can be examined.

What basically needs to happen here, is to identify the data that needs conversion, take that data and transform it into a new stream, and then call a dissector on it. Often this needs to be done "on-the-fly" based on clues in the packet. Sometimes this needs to be used in conjunction with other techniques, such as packet reassembly. The following shows a technique to achieve this effect.

Example 9.13. Decompressing data packets for dissection.

guint8 flags = tvb_get_guint8(tvb, offset); offset ++; if (flags & FLAG_COMPRESSED) { /* the remainder of the packet is compressed */ guint16 orig_size = tvb_get_ntohs(tvb, offset); guchar *decompressed_buffer = (guchar*)g_malloc(orig_size); offset += 2; decompress_packet(tvb_get_ptr(tvb, offset, -1), tvb_captured_length_remaining(tvb, offset), decompressed_buffer, orig_size); /* Now re-setup the tvb buffer to have the new data */ next_tvb = tvb_new_child_real_data(tvb, decompressed_buffer, orig_size, orig_size); tvb_set_free_cb(next_tvb, g_free); add_new_data_source(pinfo, next_tvb, "Decompressed Data"); } else { next_tvb = tvb_new_subset_remaining(tvb, offset); } offset = 0; /* process next_tvb from here on */

The first steps here are to recognise the compression. In this case a flag byte alerts us to the fact the remainder of the packet is compressed. Next we retrieve the original size of the packet, which in this case is conveniently within the protocol. If it’s not, it may be part of the compression routine to work it out for you, in which case the logic would be different.

So armed with the size, a buffer is allocated to receive the uncompressed data using g_malloc(), and the packet is decompressed into it. The tvb_get_ptr() function is useful to get a pointer to the raw data of the packet from the offset onwards. In this case the decompression routine also needs to know the length, which is given by the tvb_captured_length_remaining() function.

Next we build a new tvb buffer from this data, using the tvb_new_child_real_data() call. This data is a child of our original data, so calling this function also acknowledges that. One procedural step is to add a callback handler to free the data when it’s no longer needed via a call to tvb_set_free_cb(). In this case g_malloc() was used to allocate the memory, so g_free() is the appropriate callback function. Finally we add this tvb as a new data source, so that the detailed display can show the decompressed bytes as well as the original.

After this has been set up the remainder of the dissector can dissect the buffer next_tvb, as it’s a new buffer the offset needs to be 0 as we start again from the beginning of this buffer. To make the rest of the dissector work regardless of whether compression was involved or not, in the case that compression was not signaled, we use tvb_new_subset_remaining() to deliver us a new buffer based on the old one but starting at the current offset, and extending to the end. This makes dissecting the packet from this point on exactly the same regardless of compression.

9.4. How to reassemble split packets

Some protocols have times when they have to split a large packet across multiple other packets. In this case the dissection can’t be carried out correctly until you have all the data. The first packet doesn’t have

Packet dissection

enough data, and the subsequent packets don’t have the expect format. To dissect these packets you need to wait until all the parts have arrived and then start the dissection.

9.4.1. How to reassemble split UDP packets

As an example, let’s examine a protocol that is layered on top of UDP that splits up its own data stream. If a packet is bigger than some given size, it will be split into chunks, and somehow signaled within its protocol.

To deal with such streams, we need several things to trigger from. We need to know that this packet is part of a multi-packet sequence. We need to know how many packets are in the sequence. We also need to know when we have all the packets.

For this example we’ll assume there is a simple in-protocol signaling mechanism to give details. A flag byte that signals the presence of a multi-packet sequence and also the last packet, followed by an ID of the sequence and a packet sequence number.

msg_pkt ::= SEQUENCE {

.....

flags ::= SEQUENCE { fragment BOOLEAN, last_fragment BOOLEAN,

.....

} msg_id INTEGER(0..65535), frag_id INTEGER(0..65535),

.....

}

Example 9.14. Reassembling fragments - Part 1

#include <epan/reassemble.h> ... save_fragmented = pinfo->fragmented; flags = tvb_get_guint8(tvb, offset); offset++; if (flags & FL_FRAGMENT) { /* fragmented */ tvbuff_t* new_tvb = NULL; fragment_data *frag_msg = NULL; guint16 msg_seqid = tvb_get_ntohs(tvb, offset); offset += 2; guint16 msg_num = tvb_get_ntohs(tvb, offset); offset += 2;

pinfo->fragmented = TRUE; frag_msg = fragment_add_seq_check(tvb, offset, pinfo, msg_seqid, /* ID for fragments belonging together */ msg_fragment_table, /* list of message fragments */ msg_reassembled_table, /* list of reassembled messages */ msg_num, /* fragment sequence number */ tvb_captured_length_remaining(tvb, offset), /* fragment length - to the end */ flags & FL_FRAG_LAST); /* More fragments? */

We start by saving the fragmented state of this packet, so we can restore it later. Next comes some protocol specific stuff, to dig the fragment data out of the stream if it’s present. Having decided it is present, we let the function fragment_add_seq_check() do its work. We need to provide this with a certain amount of data.

• The tvb buffer we are dissecting.

• The offset where the partial packet starts.

• The provided packet info.

• The sequence number of the fragment stream. There may be several streams of fragments in flight, and this is used to key the relevant one to be used for reassembly.

Packet dissection

• The msg_fragment_table and the msg_reassembled_table are variables we need to declare. We’ll consider these in detail later.

• msg_num is the packet number within the sequence.

• The length here is specified as the rest of the tvb as we want the rest of the packet data.

• Finally a parameter that signals if this is the last fragment or not. This might be a flag as in this case, or there may be a counter in the protocol.

Example 9.15. Reassembling fragments part 2

new_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled Message", frag_msg, &msg_frag_items, NULL, msg_tree);

if (frag_msg) { /* Reassembled */ col_append_str(pinfo->cinfo, COL_INFO, " (Message Reassembled)"); } else { /* Not last packet of reassembled Short Message */ col_append_fstr(pinfo->cinfo, COL_INFO, " (Message fragment %u)", msg_num); }

if (new_tvb) { /* take it all */ next_tvb = new_tvb; } else { /* make a new subset */ next_tvb = tvb_new_subset(tvb, offset, -1, -1); } } else { /* Not fragmented */ next_tvb = tvb_new_subset(tvb, offset, -1, -1); }

.....

pinfo->fragmented = save_fragmented;

Having passed the fragment data to the reassembly handler, we can now check if we have the whole message. If there is enough information, this routine will return the newly reassembled data buffer.

After that, we add a couple of informative messages to the display to show that this is part of a sequence. Then a bit of manipulation of the buffers and the dissection can proceed. Normally you will probably not bother dissecting further unless the fragments have been reassembled as there won’t be much to find. Sometimes the first packet in the sequence can be partially decoded though if you wish.

Now the mysterious data we passed into the fragment_add_seq_check().

Example 9.16. Reassembling fragments - Initialisation

static GHashTable *msg_fragment_table = NULL; static GHashTable *msg_reassembled_table = NULL;

static void msg_init_protocol(void) { fragment_table_init(&msg_fragment_table); reassembled_table_init(&msg_reassembled_table); }

First a couple of hash tables are declared, and these are initialised in the protocol initialisation routine. Following that, a fragment_items structure is allocated and filled in with a series of ett items, hf data

Packet dissection

items, and a string tag. The ett and hf values should be included in the relevant tables like all the other variables your protocol may use. The hf variables need to be placed in the structure something like the following. Of course the names may need to be adjusted.

Example 9.17. Reassembling fragments - Data

... static int hf_msg_fragments = -1; static int hf_msg_fragment = -1; static int hf_msg_fragment_overlap = -1; static int hf_msg_fragment_overlap_conflicts = -1; static int hf_msg_fragment_multiple_tails = -1; static int hf_msg_fragment_too_long_fragment = -1; static int hf_msg_fragment_error = -1; static int hf_msg_fragment_count = -1; static int hf_msg_reassembled_in = -1; static int hf_msg_reassembled_length = -1; ... static gint ett_msg_fragment = -1; static gint ett_msg_fragments = -1; ... static const fragment_items msg_frag_items = { /* Fragment subtrees */ &ett_msg_fragment, &ett_msg_fragments, /* Fragment fields */ &hf_msg_fragments, &hf_msg_fragment, &hf_msg_fragment_overlap, &hf_msg_fragment_overlap_conflicts, &hf_msg_fragment_multiple_tails, &hf_msg_fragment_too_long_fragment, &hf_msg_fragment_error, &hf_msg_fragment_count, /* Reassembled in field */ &hf_msg_reassembled_in, /* Reassembled length field */ &hf_msg_reassembled_length, /* Tag */ "Message fragments" }; ... static hf_register_info hf[] = { ... {&hf_msg_fragments, {"Message fragments", "msg.fragments", FT_NONE, BASE_NONE, NULL, 0x00, NULL, HFILL } }, {&hf_msg_fragment, {"Message fragment", "msg.fragment", FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } }, {&hf_msg_fragment_overlap, {"Message fragment overlap", "msg.fragment.overlap", FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, {&hf_msg_fragment_overlap_conflicts, {"Message fragment overlapping with conflicting data", "msg.fragment.overlap.conflicts", FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, {&hf_msg_fragment_multiple_tails, {"Message has multiple tail fragments", "msg.fragment.multiple_tails", FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, {&hf_msg_fragment_too_long_fragment, {"Message fragment too long", "msg.fragment.too_long_fragment", FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } }, {&hf_msg_fragment_error,

Packet dissection

{"Message defragmentation error", "msg.fragment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } }, {&hf_msg_fragment_count, {"Message fragment count", "msg.fragment.count", FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } }, {&hf_msg_reassembled_in, {"Reassembled in", "msg.reassembled.in", FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } }, {&hf_msg_reassembled_length, {"Reassembled length", "msg.reassembled.length", FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } }, ... static gint *ett[] = { ... &ett_msg_fragment, &ett_msg_fragments ...

These hf variables are used internally within the reassembly routines to make useful links, and to add data to the dissection. It produces links from one packet to another, such as a partial packet having a link to the fully reassembled packet. Likewise there are back pointers to the individual packets from the reassembled one. The other variables are used for flagging up errors.

9.4.2. How to reassemble split TCP Packets

A dissector gets a tvbuff_t pointer which holds the payload of a TCP packet. This payload contains the header and data of your application layer protocol.

When dissecting an application layer protocol you cannot assume that each TCP packet contains exactly one application layer message. One application layer message can be split into several TCP packets.

You also cannot assume that a TCP packet contains only one application layer message and that the message header is at the start of your TCP payload. More than one messages can be transmitted in one TCP packet, so that a message can start at an arbitrary position.

This sounds complicated, but there is a simple solution. tcp_dissect_pdus() does all this tcp packet reassembling for you. This function is implemented in epan/dissectors/packet-tcp.h.

Example 9.18. Reassembling TCP fragments

#include "config.h"

#include <epan/packet.h> #include <epan/prefs.h> #include "packet-tcp.h"

...

#define FRAME_HEADER_LEN 8

/* This method dissects fully reassembled messages */ static int dissect_foo_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) { /* TODO: implement your dissecting code */ return tvb_captured_length(tvb); }

/* determine PDU length of protocol foo */ static guint get_foo_message_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_)

Packet dissection

{ /* TODO: change this to your needs */ return (guint)tvb_get_ntohl(tvb, offset+4); /* e.g. length is at offset 4 */ }

/* The main dissecting routine */ static int dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) { tcp_dissect_pdus(tvb, pinfo, tree, TRUE, FRAME_HEADER_LEN, get_foo_message_len, dissect_foo_message, data); return tvb_captured_length(tvb); }

...

As you can see this is really simple. Just call tcp_dissect_pdus() in your main dissection routine and move you message parsing code into another function. This function gets called whenever a message has been reassembled.

The parameters tvb, pinfo, tree and data are just handed over to tcp_dissect_pdus(). The 4th parameter is a flag to indicate if the data should be reassembled or not. This could be set according to a dissector preference as well. Parameter 5 indicates how much data has at least to be available to be able to determine the length of the foo message. Parameter 6 is a function pointer to a method that returns this length. It gets called when at least the number of bytes given in the previous parameter is available. Parameter 7 is a function pointer to your real message dissector. Parameter 8 is the data passed in from parent dissector.

Protocols which need more data before the message length can be determined can return zero. Other values smaller than the fixed length will result in an exception.

9.5. How to tap protocols

Adding a Tap interface to a protocol allows it to do some useful things. In particular you can produce protocol statistics from the tap interface.

A tap is basically a way of allowing other items to see what’s happening as a protocol is dissected. A tap is registered with the main program, and then called on each dissection. Some arbitrary protocol specific data is provided with the routine that can be used.

To create a tap, you first need to register a tap. A tap is registered with an integer handle, and registered with the routine register_tap(). This takes a string name with which to find it again.

Example 9.19. Initialising a tap

#include <epan/packet.h> #include <epan/tap.h>

static int foo_tap = -1;

struct FooTap { gint packet_type; gint priority; ... };

void proto_register_foo(void) { ... foo_tap = register_tap("foo");

Packet dissection

Whilst you can program a tap without protocol specific data, it is generally not very useful. Therefore it’s a good idea to declare a structure that can be passed through the tap. This needs to be a static structure as it will be used after the dissection routine has returned. It’s generally best to pick out some generic parts of the protocol you are dissecting into the tap data. A packet type, a priority or a status code maybe. The structure really needs to be included in a header file so that it can be included by other components that want to listen in to the tap.

Once you have these defined, it’s simply a case of populating the protocol specific structure and then calling tap_queue_packet, probably as the last part of the dissector.

Example 9.20. Calling a protocol tap

void dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { ... fooinfo = wmem_alloc(wmem_packet_scope(), sizeof(struct FooTap)); fooinfo->packet_type = tvb_get_guint8(tvb, 0); fooinfo->priority = tvb_get_ntohs(tvb, 8); ... tap_queue_packet(foo_tap, pinfo, fooinfo); }

This now enables those interested parties to listen in on the details of this protocol conversation.

9.6. How to produce protocol stats

Given that you have a tap interface for the protocol, you can use this to produce some interesting statistics (well presumably interesting!) from protocol traces.

This can be done in a separate plugin, or in the same plugin that is doing the dissection. The latter scheme is better, as the tap and stats module typically rely on sharing protocol specific data, which might get out of step between two different plugins.

Here is a mechanism to produce statistics from the above TAP interface.

Example 9.21. Initialising a stats interface

/* register all http trees */ static void register_foo_stat_trees(void) { stats_tree_register("foo", "foo", "Foo/Packet Types", foo_stats_tree_packet, foo_stats_tree_init, NULL); }

WS_DLL_PUBLIC_DEF const gchar version[] = "0.0";

WS_DLL_PUBLIC_DEF void plugin_register_tap_listener(void) { register_foo_stat_trees(); }

#endif

Working from the bottom up, first the plugin interface entry point is defined,

plugin_register_tap_listener(). This simply calls the initialisation function register_foo_stat_trees().

This in turn calls the stats_tree_register() function, which takes three strings, and three functions.

Packet dissection

1. This is the tap name that is registered.

2. An abbreviation of the stats name.

3. The name of the stats module. A '/' character can be used to make sub menus.

4. The function that will called to generate the stats.

5. A function that can be called to initialise the stats data.

6. A function that will be called to clean up the stats data.

In this case we only need the first two functions, as there is nothing specific to clean up.

Example 9.22. Initialising a stats session

static const guint8* st_str_packets = "Total Packets"; static const guint8* st_str_packet_types = "FOO Packet Types"; static int st_node_packets = -1; static int st_node_packet_types = -1;

static void foo_stats_tree_init(stats_tree* st) { st_node_packets = stats_tree_create_node(st, st_str_packets, 0, TRUE); st_node_packet_types = stats_tree_create_pivot(st, st_str_packet_types, st_node_packets); }

In this case we create a new tree node, to handle the total packets, and as a child of that we create a pivot table to handle the stats about different packet types.

Example 9.23. Generating the stats

static int foo_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt, const void* p) { struct FooTap *pi = (struct FooTap *)p; tick_stat_node(st, st_str_packets, 0, FALSE); stats_tree_tick_pivot(st, st_node_packet_types, val_to_str(pi->packet_type, msgtypevalues, "Unknown packet type (%d)")); return 1; }

In this case the processing of the stats is quite simple. First we call the tick_stat_node for the st_str_packets packet node, to count packets. Then a call to stats_tree_tick_pivot() on the st_node_packet_types subtree allows us to record statistics by packet type.

9.7. How to use conversations

Some info about how to use conversations in a dissector can be found in the file doc/README.dissector, chapter 2.2.

9.8. idl2wrs: Creating dissectors from CORBA IDL files

Many of Wireshark’s dissectors are automatically generated. This section shows how to generate one from a CORBA IDL file.

9.8.1. What is it?

As you have probably guessed from the name, idl2wrs takes a user specified IDL file and attempts to build a dissector that can decode the IDL traffic over GIOP. The resulting file is “C” code, that should compile okay as a Wireshark dissector.

idl2wrs parses the data struct given to it by the omniidl compiler, and using the GIOP API available in packet-giop.[ch], generates get_CDR_xxx calls to decode the CORBA traffic on the wire.

It consists of 4 main files.

README.idl2wrs This document

wireshark_be.py The main compiler backend

wireshark_gen.py A helper class, that generates the C code.

idl2wrs A simple shell script wrapper that the end user should use to generate the

9.8.2. Why do this?

Packet dissection

dissector from the IDL file(s).

It is important to understand what CORBA traffic looks like over GIOP/IIOP, and to help build a tool that can assist in troubleshooting CORBA interworking. This was especially the case after seeing a lot of discussions about how particular IDL types are represented inside an octet stream.

I have also had comments/feedback that this tool would be good for say a CORBA class when teaching students what CORBA traffic looks like “on the wire”.

It is also COOL to work on a great Open Source project such as the case with “Wireshark” (https://

www.wireshark.org/ )

9.8.3. How to use idl2wrs

To use the idl2wrs to generate Wireshark dissectors, you need the following:

• Python must be installed. See http://python.org/

• omniidl from the omniORB package must be available. See http://omniorb.sourceforge.net/

• Of course you need Wireshark installed to compile the code and tweak it if required. idl2wrs is part of the standard Wireshark distribution

To use idl2wrs to generate an Wireshark dissector from an idl file use the following procedure:

• To write the C code to stdout.

$ idl2wrs <your_file.idl>

e.g.:

$ idl2wrs echo.idl

• To write to a file, just redirect the output.

$ idl2wrs echo.idl > packet-test-idl.c

Packet dissection

You may wish to comment out the register_giop_user_module() code and that will leave you with heuristic dissection.

If you don’t want to use the shell script wrapper, then try steps 3 or 4 instead.

• To write the C code to stdout.

$ omniidl -p ./ -b wireshark_be <your file.idl>

e.g.:

$ omniidl -p ./ -b wireshark_be echo.idl

• To write to a file, just redirect the output.

$ omniidl -p ./ -b wireshark_be echo.idl > packet-test-idl.c

You may wish to comment out the register_giop_user_module() code and that will leave you with heuristic dissection.

• Copy the resulting C code to subdirectory epan/dissectors/ inside your Wireshark source directory.

$ cp packet-test-idl.c /dir/where/wireshark/lives/epan/dissectors/

The new dissector has to be added to Makefile.common in the same directory. Look for the declaration CLEAN_DISSECTOR_SRC and add the new dissector there. For example,

CLEAN_DISSECTOR_SRC = \ packet-2dparityfec.c \ packet-3com-njack.c \ ...

becomes

CLEAN_DISSECTOR_SRC = \ packet-test-idl.c \ packet-2dparityfec.c \ packet-3com-njack.c \ ...

For the next steps, go up to the top of your Wireshark source directory.

• Run configure

$ ./configure (or ./autogen.sh)

• Compile the code

$ make

• Good Luck !!

9.8.4. TODO

• Exception code not generated (yet), but can be added manually.

• Enums not converted to symbolic values (yet), but can be added manually.

• Add command line options etc

• More I am sure :-)

9.8.5. Limitations

See the TODO list inside packet-giop.c

9.8.6. Notes

The -p ./ option passed to omniidl indicates that the wireshark_be.py and wireshark_gen.py are residing in the current directory. This may need tweaking if you place these files somewhere else.

If it complains about being unable to find some modules (e.g. tempfile.py), you may want to check if PYTHONPATH is set correctly. On my Linux box, it is PYTHONPATH=/usr/lib/python2.4/

Packet dissection

Chapter 10. Lua Support in Wireshark

10.1. Introduction

Wireshark has an embedded Lua interpreter. Lua is a powerful light-weight programming language designed for extending applications. Lua is designed and implemented by a team at PUC-Rio, the Pontifical Catholic University of Rio de Janeiro in Brazil. Lua was born and raised at Tecgraf, the Computer Graphics Technology Group of PUC-Rio, and is now housed at Lua.org. Both Tecgraf and Lua.org are laboratories of the Department of Computer Science.

In Wireshark Lua can be used to write dissectors, taps, and capture file readers and writers.

Wireshark’s Lua interpreter starts by loading init.lua that is located in the global configuration directory of Wireshark. Lua is enabled by default. To disable Lua the line variable disable_lua should be set to true in init.lua.

After loading init.lua from the data directory if Lua is enabled Wireshark will try to load a file named init.lua in the user’s directory.

Wireshark will also load all files with .lua suffix from both the global and the personal plugins directory.

The command line option -X lua_script:file.lua can be used to load Lua scripts as well.

The Lua code will be executed once after all the protocol dissectors have being initialized and before reading any file.

10.2. Example of Dissector written in Lua

local p_multi = Proto("multi","MultiProto");

local vs_protos = { [2] = "mtp2", [3] = "mtp3", [4] = "alcap", [5] = "h248", [6] = "ranap", [7] = "rnsap", [8] = "nbap" }

local f_proto = ProtoField.uint8("multi.protocol","Protocol",base.DEC,vs_protos) local f_dir = ProtoField.uint8("multi.direction","Direction",base.DEC,{ [1] = "incoming", [0] = "outgoing"}) local f_text = ProtoField.string("multi.text","Text")

p_multi.fields = { f_proto, f_dir, f_text }

local data_dis = Dissector.get("data")

local protos = { [2] = Dissector.get("mtp2"), [3] = Dissector.get("mtp3"), [4] = Dissector.get("alcap"), [5] = Dissector.get("h248"), [6] = Dissector.get("ranap"), [7] = Dissector.get("rnsap"), [8] = Dissector.get("nbap"), [9] = Dissector.get("rrc"), [10] = DissectorTable.get("sctp.ppi"):get_dissector(3), -- m3ua

Lua Support in Wireshark

[11] = DissectorTable.get("ip.proto"):get_dissector(132), -- sctp }

function p_multi.dissector(buf,pkt,root)

local t = root:add(p_multi,buf(0,2)) t:add(f_proto,buf(0,1)) t:add(f_dir,buf(1,1))

local proto_id = buf(0,1):uint()

local dissector = protos[proto_id]

if dissector ~= nil then dissector:call(buf(2):tvb(),pkt,root) elseif proto_id < 2 then t:add(f_text,buf(2))

-- pkt.cols.info:set(buf(2,buf:len() - 3):string())

else data_dis:call(buf(2):tvb(),pkt,root) end

end

local wtap_encap_table = DissectorTable.get("wtap_encap") local udp_encap_table = DissectorTable.get("udp.port")

wtap_encap_table:add(wtap.USER15,p_multi) wtap_encap_table:add(wtap.USER12,p_multi) udp_encap_table:add(7555,p_multi)

10.3. Example of Listener written in Lua

-- This program will register a menu that will open a window with a count of occurrences

-- of every address in the capture

local function menuable_tap()

-- Declare the window we will use

local tw = TextWindow.new("Address Counter")

-- This will contain a hash of counters of appearances of a certain address

local ips = {}

-- this is our tap

local tap = Listener.new();

function remove()

-- this way we remove the listener that otherwise will remain running indefinitely

tap:remove(); end

-- we tell the window to call the remove() function when closed

tw:set_atclose(remove)

-- this function will be called once for each packet

function tap.packet(pinfo,tvb) local src = ips[tostring(pinfo.src)] or 0 local dst = ips[tostring(pinfo.dst)] or 0

ips[tostring(pinfo.src)] = src + 1 ips[tostring(pinfo.dst)] = dst + 1 end

-- this function will be called once every few seconds to update our window

function tap.draw(t) tw:clear()

Lua Support in Wireshark

for ip,num in pairs(ips) do tw:append(ip .. "\t" .. num .. "\n"); end end

-- this function will be called whenever a reset is needed

-- e.g. when reloading the capture file

function tap.reset() tw:clear() ips = {} end end

-- using this function we register our function

-- to be called when the user selects the Tools->Test->Packets menu

register_menu("Test/Packets", menuable_tap, MENU_TOOLS_UNSORTED)

Chapter 11. Wireshark’s Lua API Reference Manual

This Part of the User Guide describes the Wireshark specific functions in the embedded Lua.

11.1. Saving capture files

The classes/functions defined in this module are for using a Dumper object to make Wireshark save a capture file to disk. Dumper represents Wireshark’s built-in file format writers (see the wtap_filetypes table in init.lua).

To have a Lua script create its own file format writer, see the chapter titled "Custom file format reading/ writing".

11.1.1. Dumper

11.1.1.1. Dumper.new(filename, [filetype], [encap])

Creates a file to write packets. Dumper:new_for_current() will probably be a better choice.

Arguments

filename The name of the capture file to be created.

filetype (optional) The type of the file to be created - a number entry from the

encap (optional) The encapsulation to be used in the file to be created - a number entry

Returns

The newly created Dumper object

11.1.1.2. dumper:close()

Closes a dumper.

Errors

• Cannot operate on a closed dumper

11.1.1.3. dumper:flush()

Writes all unsaved data of a dumper to the disk.

wtap_filetypes table in init.lua.

from the wtap_encaps table in init.lua.

11.1.1.4. dumper:dump(timestamp, pseudoheader, bytearray)

Dumps an arbitrary packet.

Wireshark’s Lua API

Reference Manual

Note

Dumper:dump_current() will fit best in most cases.

Arguments

timestamp The absolute timestamp the packet will have. pseudoheader The PseudoHeader to use. bytearray The data to be saved

11.1.1.5. dumper:new_for_current([filetype])

Creates a capture file using the same encapsulation as the one of the current packet.

Arguments

filetype (optional) The file type. Defaults to pcap.

Returns

The newly created Dumper Object

Errors

• Cannot be used outside a tap or a dissector

11.1.1.6. dumper:dump_current()

Dumps the current packet as it is.

Errors

• Cannot be used outside a tap or a dissector

11.1.2. PseudoHeader

A pseudoheader to be used to save captured frames.

11.1.2.1. PseudoHeader.none()

Creates a "no" pseudoheader.

Returns

A null pseudoheader

11.1.2.2. PseudoHeader.eth([fcslen])

Creates an ethernet pseudoheader.

Arguments

fcslen (optional) The fcs length

Wireshark’s Lua API

Reference Manual

Returns

The ethernet pseudoheader

11.1.2.3. PseudoHeader.atm([aal], [vpi], [vci], [channel], [cells], [aal5u2u], [aal5len])

Creates an ATM pseudoheader.

Arguments

aal (optional) AAL number

vpi (optional) VPI

vci (optional) VCI

channel (optional) Channel

cells (optional) Number of cells in the PDU

aal5u2u (optional) AAL5 User to User indicator

aal5len (optional) AAL5 Len

Returns

The ATM pseudoheader

11.1.2.4. PseudoHeader.mtp2([sent], [annexa], [linknum])

Creates an MTP2 PseudoHeader.

Arguments

sent (optional) True if the packet is sent, False if received.

annexa (optional) True if annex A is used.

linknum (optional) Link Number.

Returns

The MTP2 pseudoheader

11.2. Obtaining dissection data

11.2.1. Field

A Field extractor to to obtain field values. A Field object can only be created outside of the callback functions of dissectors, post-dissectors, heuristic-dissectors, and taps.

Once created, it is used inside the callback functions, to generate a FieldInfo object.

Wireshark’s Lua API

11.2.1.1. Field.new(fieldname)

Create a Field extractor.

Arguments

fieldname The filter name of the field (e.g. ip.addr)

Returns

The field extractor

Errors

• A Field extractor must be defined before Taps or Dissectors get called

11.2.1.2. Field.list()

Gets a Lua array table of all registered field filter names.

Note

Reference Manual

this is an expensive operation, and should only be used for troubleshooting.

Since: 1.11.3

Returns

The array table of field filter names

11.2.1.3. field:__call()

Obtain all values (see FieldInfo) for this field.

Returns

All the values of this field

Errors

• Fields cannot be used outside dissectors or taps

11.2.1.4. field:__tostring()

Obtain a string with the field filter name.

11.2.1.5. field.name

Mode: Retrieve only.

The filter name of this field, or nil.

Since: 1.99.8

11.2.1.6. field.display

Mode: Retrieve only. The full display name of this field, or nil. Since: 1.99.8

11.2.1.7. field.type

Mode: Retrieve only. The ftype of this field, or nil. Since: 1.99.8

11.2.2. FieldInfo

An extracted Field from dissected packet data. A FieldInfo object can only be used within the callback functions of dissectors, post-dissectors, heuristic-dissectors, and taps.

A FieldInfo can be called on either existing Wireshark fields by using either Field.new() or Field() before-hand, or it can be called on new fields created by Lua from a ProtoField.

Wireshark’s Lua API

Reference Manual

11.2.2.1. fieldinfo:__len()

Obtain the Length of the field

11.2.2.2. fieldinfo:__unm()

Obtain the Offset of the field

11.2.2.3. fieldinfo:__call()

Obtain the Value of the field. Previous to 1.11.4, this function retrieved the value for most field types, but for ftypes.UINT_BYTES

it retrieved the ByteArray of the field’s entire TvbRange. In other words, it returned a ByteArray that included the leading length byte(s), instead of just the value bytes. That was a bug, and has been changed in 1.11.4. Furthermore, it retrieved an ftypes.GUID as a ByteArray, which is also incorrect.

If you wish to still get a ByteArray of the TvbRange, use FieldInfo:get_range() to get the TvbRange, and then use Tvb:bytes() to convert it to a ByteArray.

11.2.2.4. fieldinfo:__tostring()

The string representation of the field.

11.2.2.5. fieldinfo:__eq()

Checks whether lhs is within rhs.

11.2.2.6. fieldinfo:__le()

Checks whether the end byte of lhs is before the end of rhs.

Errors

• Data source must be the same for both fields

11.2.2.7. fieldinfo:__lt()

Checks whether the end byte of rhs is before the beginning of rhs.

Errors

• Data source must be the same for both fields

11.2.2.8. fieldinfo.len

Mode: Retrieve only.

The length of this field.

11.2.2.9. fieldinfo.offset

Mode: Retrieve only.

Wireshark’s Lua API

Reference Manual

The offset of this field.

11.2.2.10. fieldinfo.value

Mode: Retrieve only.

The value of this field.

11.2.2.11. fieldinfo.label

Mode: Retrieve only.

The string representing this field.

11.2.2.12. fieldinfo.display

Mode: Retrieve only.

The string display of this field as seen in GUI.

11.2.2.13. fieldinfo.type

Mode: Retrieve only.

The internal field type, a number which matches one of the ftype values in init.lua.

Since: 1.99.8

11.2.2.14. fieldinfo.source

Mode: Retrieve only.

The source Tvb object the FieldInfo is derived from, or nil if there is none. Since: 1.99.8

11.2.2.15. fieldinfo.range

Mode: Retrieve only. The TvbRange covering this field.

11.2.2.16. fieldinfo.generated

Mode: Retrieve only. Whether this field was marked as generated (boolean).

11.2.2.17. fieldinfo.hidden

Mode: Retrieve only. Whether this field was marked as hidden (boolean).

Wireshark’s Lua API

Reference Manual

Since: 1.99.8

11.2.2.18. fieldinfo.is_url

Mode: Retrieve only. Whether this field was marked as being a URL (boolean). Since: 1.99.8

11.2.2.19. fieldinfo.little_endian

Mode: Retrieve only. Whether this field is little-endian encoded (boolean). Since: 1.99.8

11.2.2.20. fieldinfo.big_endian

Mode: Retrieve only. Whether this field is big-endian encoded (boolean). Since: 1.99.8

11.2.2.21. fieldinfo.name

Mode: Retrieve only. The filter name of this field. Since: 1.99.8

Wireshark’s Lua API

Reference Manual

11.2.3. Global Functions

11.2.3.1. all_field_infos()

Obtain all fields from the current tree. Note this only gets whatever fields the underlying dissectors have filled in for this packet at this time - there may be fields applicable to the packet that simply aren’t being filled in because at this time they’re not needed for anything. This function only gets what the C-side code has currently populated, not the full list.

Errors

• Cannot be called outside a listener or dissector

11.3. GUI support

11.3.1. ProgDlg

Manages a progress bar dialog.

11.3.1.1. ProgDlg.new([title], [task])

Creates a new ProgDlg progress dialog.

Arguments

title (optional) Title of the new window, defaults to "Progress". task (optional) Current task, defaults to "".

Returns

The newly created ProgDlg object.

11.3.1.2. progdlg:update(progress, [task])

Appends text.

Arguments

progress Part done ( e.g. 0.75 ). task (optional) Current task, defaults to "".

Errors

• GUI not available

• Cannot be called for something not a ProgDlg

• Progress value out of range (must be between 0.0 and 1.0)

11.3.1.3. progdlg:stopped()

Checks whether the user has pressed the stop button.

Wireshark’s Lua API

Reference Manual

Returns

true if the user has asked to stop the progress.

11.3.1.4. progdlg:close()

Closes the progress dialog.

Returns

A string specifying whether the Progress Dialog has stopped or not.

Errors

• GUI not available

11.3.2. TextWindow

Manages a text window.

11.3.2.1. TextWindow.new([title])

Creates a new TextWindow text window.

Arguments

title (optional) Title of the new window.

Returns

The newly created TextWindow object.

Errors

• GUI not available

11.3.2.2. textwindow:set_atclose(action)

Set the function that will be called when the text window closes.

Arguments

action A Lua function to be executed when the user closes the text window.

Returns

The TextWindow object.

Errors

• GUI not available

11.3.2.3. textwindow:set(text)

Sets the text.

Wireshark’s Lua API

Reference Manual

Arguments

text The text to be used.

Returns

The TextWindow object.

Errors

• GUI not available

11.3.2.4. textwindow:append(text)

Appends text

Arguments

text The text to be appended

Returns

The TextWindow object.

Errors

• GUI not available

11.3.2.5. textwindow:prepend(text)

Prepends text

Arguments

text The text to be appended

Returns

The TextWindow object.

Errors

• GUI not available

11.3.2.6. textwindow:clear()

Erases all text in the window.

Returns

Errors

The TextWindow object.

• GUI not available

Wireshark’s Lua API

Reference Manual

11.3.2.7. textwindow:get_text()

Get the text of the window

Returns

The `TextWindow’s text.

Errors

• GUI not available

11.3.2.8. textwindow:close()

Close the window

Errors

• GUI not available

11.3.2.9. textwindow:set_editable([editable])

Make this text window editable.

Arguments

editable (optional) A boolean flag, defaults to true.

Returns

The TextWindow object.

Errors

• GUI not available

11.3.2.10. textwindow:add_button(label, function)

Adds a button to the text window.

Arguments

label The label of the button

function The Lua function to be called when clicked

Returns

Errors

The TextWindow object.

• GUI not available

Wireshark’s Lua API

Reference Manual

11.3.3. Global Functions

11.3.3.1. gui_enabled()

Checks whether the GUI facility is enabled.

Returns

A boolean: true if it is enabled, false if it isn’t.

11.3.3.2. register_menu(name, action, [group])

Arguments

name The name of the menu item. The submenus are to be separated by '`/’s.

(string)

action The function to be called when the menu item is invoked. (function taking

no arguments and returning nothing)

group (optional) The menu group into which the menu item is to be inserted. If omitted,

defaults to MENU_STAT_GENERIC. One of:

• MENU_STAT_UNSORTED (Statistics),

• MENU_STAT_GENERIC (Statistics, first section),

• MENU_STAT_CONVERSATION (Statistics/Conversation List),

• MENU_STAT_ENDPOINT (Statistics/Endpoint List),

• MENU_STAT_RESPONSE (Statistics/Service Response Time),

• MENU_STAT_TELEPHONY (Telephony),

• MENU_STAT_TELEPHONY_GSM (Telephony/GSM),

• MENU_STAT_TELEPHONY_LTE (Telephony/LTE),

• MENU_STAT_TELEPHONY_SCTP (Telephony/SCTP),

• MENU_ANALYZE (Analyze),

• MENU_ANALYZE_CONVERSATION (Analyze/Conversation Filter),

• MENU_TOOLS_UNSORTED (Tools). (number)

11.3.3.3. new_dialog(title, action, …)

Pops up a new dialog

Arguments

title Title of the dialog’s window.

Wireshark’s Lua API

Reference Manual

action Action to be performed when OK’d.

… A series of strings to be used as labels of the dialog’s fields.

Errors

• GUI not available

• At least one field required

• All fields must be strings

11.3.3.4. retap_packets()

Rescan all packets and just run taps - don’t reconstruct the display.

11.3.3.5. copy_to_clipboard(text)

Copy a string into the clipboard.

Arguments

text The string to be copied into the clipboard.

11.3.3.6. open_capture_file(filename, filter)

Open and display a capture file.

Arguments

filename The name of the file to be opened.

filter A filter to be applied as the file gets opened.

11.3.3.7. get_filter()

Get the main filter text.

11.3.3.8. set_filter(text)

Set the main filter text.

Arguments

text The filter’s text.

11.3.3.9. set_color_filter_slot(row, text)

Set packet-coloring rule for the current session.

Arguments

row The index of the desired color in the temporary coloring rules list.

Wireshark’s Lua API

Reference Manual

text Display filter for selecting packets to be colorized.

11.3.3.10. apply_filter()

Apply the filter in the main filter box.

11.3.3.11. reload()

Reload the current capture file.

11.3.3.12. browser_open_url(url)

Open an url in a browser.

Arguments

url The url.

11.3.3.13. browser_open_data_file(filename)

Open a file in a browser.

Arguments

filename The file name.

11.4. Post-dissection packet analysis

11.4.1. Listener

A Listener is called once for every packet that matches a certain filter or has a certain tap. It can read the tree, the packet’s Tvb buffer as well as the tapped data, but it cannot add elements to the tree.

11.4.1.1. Listener.new([tap], [filter], [allfields])

Creates a new Listener listener object.

Arguments

tap (optional) The name of this tap. filter (optional) A filter that when matches the tap.packet function gets called (use

nil to be called for every packet).

allfields (optional) Whether to generate all fields. (default=false)

Returns

Note

this impacts performance.

The newly created Listener listener object

Wireshark Wireshark - 2.1 Developer’s Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Wireshark Developer’s Guide

Preface

1. Foreword

2. Who should read this document?

3. Acknowledgements

4. About this document

5. Where to get the latest copy of this document?

6. Providing feedback about this document

Part I. Wireshark Build Environment

Chapter 1. Introduction

1.1. Introduction

1.2. What is Wireshark?

1.3. Supported Platforms

1.3.1. Unix

1.3.2. Linux

1.3.3. Microsoft Windows

1.4. Development and maintenance of Wireshark

1.4.1. Programming languages used

1.4.2. Open Source Software

1.5. Releases and distributions

1.5.1. Binary distributions

1.5.2. Source code distributions

1.6. Automated Builds (Buildbot)

1.6.1. Advantages

1.6.2. What does the Buildbot do?

1.7. Reporting problems and getting help

1.7.1. Website

1.7.2. Wiki

1.7.3. FAQ

1.7.4. Other sources

1.7.5. Mailing Lists

1.7.6. Bug database (Bugzilla)

1.7.7. Q&A Site

1.7.8. Reporting Problems

1.7.9. Reporting Crashes on UNIX/Linux platforms

1.7.10. Reporting Crashes on Windows platforms

Chapter 2. Quick Setup

2.1. UNIX: Installation

2.2. Win32/64: Step-by-Step Guide

2.2.1. Install PowerShell

2.2.2. Optional: Install Chocolatey

2.2.3. Install Microsoft C compiler and SDK

2.2.4. Install Qt

2.2.5. Install Cygwin

2.2.6. Install Python

2.2.7. Install Git

2.2.7.1. The Official Windows Installer

2.2.7.2. Git Extensions

2.2.7.3. TortoiseGit

2.2.7.4. Command Line client via Chocolatey

2.2.7.5. Others

2.3. Install CMake

2.3.1. Install and Prepare Sources

2.3.2. Open a Visual Studio Command Prompt

2.3.3. Generate the build files

2.3.4. Build Wireshark

2.3.5. Debug Environment Setup

2.3.6. Optional: Create User’s and Developer’s Guide

2.3.7. Optional: Create a Wireshark Installer

Chapter 3. Work with the Wireshark sources

3.1. Introduction

3.2. The Wireshark Git repository

3.2.1. The web interface to the Git repository

3.3. Obtain the Wireshark sources

3.3.1. Git over SSH or HTTPS

3.3.2. Git web interface

3.3.3. Buildbot Snapshots

3.3.4. Released sources

3.4. Update the Wireshark sources

3.4.1. Update Using Git

3.4.2. Update Using Source Archives

3.5. Build Wireshark

3.5.1. Building on Unix

3.5.2. Win32 native

3.6. Run generated Wireshark

3.6.1. Unix/Linux