Wireshark Wireshark - 2.9 Developer’s Guide

Wireshark Developer’s Guide

Version 2.9.0

Preface

Foreword

This book tries to give you a guide to start your own experiments into the wonderful world of
Wireshark development.

Developers who are new to Wireshark often have a hard time getting their development
environment up and running. This is especially true for Win32 developers, as a lot of the tools and
methods used when building Wireshark are much more common in the UNIX world than on
Win32.

The first part of this book will describe how to set up the environment needed to develop
Wireshark.

The second part of this book will describe how to change the Wireshark source code.

We hope that you find this book useful, and look forward to your comments.

Who should read this document?

The intended audience of this book is anyone going into the development of Wireshark.

This book is not intended to explain the usage of Wireshark in general. Please refer the Wireshark

User’s Guide about Wireshark usage.

By reading this book, you will learn how to develop Wireshark. It will hopefully guide you around
some common problems that frequently appear for new (and sometimes even advanced)
developers of Wireshark.

Acknowledgements

The authors would like to thank the whole Wireshark team for their assistance. In particular, the
authors would like to thank:

• Gerald Combs, for initiating the Wireshark project.

• Guy Harris, for many helpful hints and his effort in maintaining the various contributions on
the mailing lists.

• Frank Singleton from whose README.idl2wrs idl2wrs: Creating dissectors from CORBA IDL files is
derived.

The authors would also like to thank the following people for their helpful feedback on this
document:

1

• XXX - Please give feedback :-)

And of course a big thank you to the many, many contributors of the Wireshark development
community!

About this document

This book was developed by Ulf Lamping and updated for VS2013 by Graham Bloice

It is written in AsciiDoc.

Where to get the latest copy of this document?

The latest copy of this documentation can always be found at: https://www.wireshark.org/docs/ in
A4 PDF, US letter PDF, single HTML, and chunked HTML.

Providing feedback about this document

Should you have any feedback about this document, please send it to the authors through

wireshark-dev[AT]wireshark.org.

Typographic Conventions

The following table shows the typographic conventions that are used in this guide.

Table 1. Typographic Conventions

Style Description Example

Italic File names, folder names, and extensions C:\Development\wireshark.

Monospace

Bold
Monospace

[ Button ] Dialog and window buttons Press [ Launch ] to go to the Moon.

Key

Commands, flags, and environment
variables

Commands that should be run by the
user

Keyboard shortcut Press Ctrl+Down to move to the next

CMake’s -G option.

Run cmake -G Ninja ...

packet.

Menu Menu item

Admonitions

Important and notable items are marked as follows:

2

Select Go › Next Packet to move to the
next packet.

This is a warning

WARNING

NOTE

This is a tip

TIP

Tips are helpful for your everyday work using Wireshark.

You should pay attention to a warning, otherwise data loss might occur.

This is a note

A note will point you to common mistakes and things that might not be obvious.

Shell Prompt and Source Code Examples

Bourne shell, normal user

$ # This is a comment
$ git config --global log.abbrevcommit true

Bourne shell, root user

# # This is a comment
# ninja install

Command Prompt (cmd.exe)

>rem This is a comment
>cd C:\Development

PowerShell

PS$># This is a comment
PS$>choco list -l

3

C Source Code

#include "config.h"

/* This method dissects foos */
static int
dissect_foo_message(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree _U_, void
*data _U_)
{
Ê /* TODO: implement your dissecting code */
Ê return tvb_captured_length(tvb);
}

4

Wireshark Build Environment

Wireshark Build Environment

The first part describes how to set up the tools, libraries and source needed to generate Wireshark
and how to do some typical development tasks.

5

Introduction

Introduction

This chapter will provide you with information about Wireshark development in general.

What is Wireshark?

Well, if you want to start Wireshark development, you might already know what Wireshark is
doing. If not, please have a look at the Wireshark User’s Guide, which will provide a lot of general
information about it.

Supported Platforms

Wireshark currently runs on most UNIX platforms and various Windows platforms. It requires Qt,
GLib, libpcap and some other libraries in order to run.

As Wireshark is developed in a platform independent way and uses libraries (such as the Qt GUI
library) which are available for many different platforms, it’s thus available on a wide variety of
platforms.

If a binary package is not available for your platform, you should download the source and try to
build it. Please report your experiences to wireshark-dev[AT]wireshark.org.

Binary packages are available for the following platforms along with many others:

Unix

• Apple macOS

• FreeBSD

• HP-UX

• IBM AIX

• NetBSD

• OpenBSD

• Oracle Solaris

Linux

• Debian GNU/Linux

• Ubuntu

• Gentoo Linux

6

• IBM S/390 Linux (Red Hat)

• Mandrake Linux

• PLD Linux

• Red Hat Linux

• Rock Linux

• Slackware Linux

• Suse Linux

Microsoft Windows

Wireshark supports Windows natively via the Windows API. Note that in this documentation and
elsewhere we tend to use the terms “Win32”, “Win”, and “Windows” interchangeably to refer to the
Windows API. Wireshark runs on and can be compiled on the following platforms:

• Windows 10 / Windows Server 2016

• Windows 8.1 / Windows Server 2012 R2

• Windows 8 / Windows Server 2012

• Windows 7 / Windows Server 2008 R2

Development on Windows Vista, Server 2008, and older versions may be possible but is not
supported.

Development and maintenance of Wireshark

Wireshark was initially developed by Gerald Combs. Ongoing development and maintenance of
Wireshark is handled by the Wireshark core developers, a loose group of individuals who fix bugs
and provide new functionality.

There have also been a large number of people who have contributed protocol dissectors and other
improvements to Wireshark, and it is expected that this will continue. You can find a list of the
people who have contributed code to Wireshark by checking the About dialog box of Wireshark, or
have a look at the https://www.wireshark.org/about.html#authors page on the Wireshark web site.

The communication between the developers is usually done through the developer mailing list,
which can be joined by anyone interested in the development activities. At the time this document
was written, more than 500 persons were subscribed to this mailing list!

It is strongly recommended to join the developer mailing list, if you are going to do any Wireshark
development. See Mailing Lists about the different Wireshark mailing lists available.

7

Programming languages used

Most of Wireshark is implemented in plain ANSI C. A notable exception is the code in ui/qt, which is
written in C++.

The typical task for a new Wireshark developer is to extend an existing, or write a new dissector for
a specific network protocol. As (almost) any dissector is written in plain old ANSI C, a good
knowledge about ANSI C will be sufficient for Wireshark development in almost any case.

So unless you are going to change the build process of Wireshark itself, you won’t come in touch
with any other programming language than ANSI C (such as Perl or Python, which are used only in
the Wireshark build process).

Beside the usual tools for developing a program in C (compiler, make, …), the build process uses
some additional helper tools (Perl, Python, Sed, …), which are needed for the build process when
Wireshark is to be build and installed from the released source packages. If Wireshark is installed
from a binary package, none of these helper tools are needed on the target system.

Open Source Software

Wireshark is an open source software (OSS) project, and is released under the GNU General Public

License (GPL). You can freely use Wireshark on any number of computers you like, without

worrying about license keys or fees or such. In addition, all source code is freely available under
the GPL. Because of that, it is very easy for people to add new protocols to Wireshark, either as
plugins, or built into the source, and they often do!

You are welcome to modify Wireshark to suit your own needs, and it would be appreciated if you
contribute your improvements back to the Wireshark community.

You gain three benefits by contributing your improvements back to the community:

• Other people who find your contributions useful will appreciate them, and you will know that
you have helped people in the same way that the developers of Wireshark have helped you and
other people.

• The developers of Wireshark might improve your changes even more, as there’s always room
for improvement. Or they may implement some advanced things on top of your code, which can
be useful for yourself too.

• The maintainers and developers of Wireshark will maintain your code as well, fixing it when
API changes or other changes are made, and generally keeping it in tune with what is
happening with Wireshark. So if Wireshark is updated (which is done often), you can get a new
Wireshark version from the website and your changes will already be included without any
effort for you.

The Wireshark source code and binary packages for some platforms are all available on the
download page of the Wireshark website: https://www.wireshark.org/download.html.

8

Releases and distributions

The officially released files can be found at https://www.wireshark.org/download.html. A new
Wireshark version is released after significant changes compared to the last release are completed
or a serious security issue is encountered. The typical release schedule is about every 4-8 weeks
(although this may vary). There are two kinds of distributions: binary and source; both have their
advantages and disadvantages.

Binary distributions

Binary distributions are usually easy to install (as simply starting the appropriate file is usually the
only thing to do). They are available for the following systems:

• Windows (.exe file). The typical Windows end user is used to getting a setup.exe file which will
install all the required things for him.

• Win32 PAF (.paf.exe file). Another Windows end user method is to get a portable application file
which will install all the required things for him.

• Debian (.deb file). A user of a Debian Package Manager (DPKG) based system obtains a .deb file
from which the package manager checks the dependencies and installs the software.

• Red Hat (.rpm file). A user of a RPM Package Manager (RPM) based system obtains an .rpm file
from which the package manager checks the dependencies and installs the software.

• macOS (.dmg file). The typical macOS end user is used to getting a .dmg file which will install all
the required things for him.

• Solaris. A Solaris user obtains a file from which the package manager (PKG) checks the
dependencies and installs the software.

However, if you want to start developing with Wireshark, the binary distributions won’t be too
helpful, as you need the source files, of course.

For details about how to build these binary distributions yourself, e.g. if you need a distribution for
a special audience, see Binary packaging.

Source code distributions

It’s still common for UNIX developers to give the end user a source tarball and let the user compile
it on their target machine (configure, make, make install). However, for different UNIX (Linux)
distributions it’s becoming more common to release binary packages (e.g. .deb or .rpm files) these
days.

You should use the released sources if you want to build Wireshark from source on your platform
for productive use. However, if you going to develop changes to the Wireshark sources, it might be
better to use the latest GIT sources. For details about the different ways to get the Wireshark source
code see Obtain the Wireshark sources.

9

Before building Wireshark from a source distribution, make sure you have all the tools and
libraries required to build. The following chapters will describe the required tools and libraries in
detail.

Automated Builds (Buildbot)

The Wireshark Buildbot automatically rebuilds Wireshark on every change of the source code
repository and indicates problematic changes. This frees the developers from repeating (and
annoying) work, so time can be spent on more interesting tasks.

Advantages

• Recognizing (cross platform) build problems - early. Compilation problems can be narrowed
down to a few commits, making a fix much easier.

• "Health status" overview of the sources. A quick look at: https://buildbot.wireshark.org/

wireshark-master/ gives a good "feeling" if the sources are currently "well". On the other hand,

if all is "red", an update of a personal source tree might better be done later …

• "Up to date" binary packages are available. After a change was committed to the repository, a
binary package / installer is usually available within a few hours at: https://www.wireshark.org/

download/automated/. This can be quite helpful, e.g. a bug reporter can easily verify a bugfix by

installing a recent build.

• Automated regression tests. In particular, the fuzz tests often indicate "real life" problems that
are otherwise hard to find.

What does the Buildbot do?

The Buildbot will do the following (to a different degree on the different platforms):

• Check out from the source repository

• Build

• Create binary packages and installers

• Create source packages and run distribution checks

• Run regression tests

Each step is represented at the status page by a rectangle, green if it succeeded or red if it failed.
Most steps provide a link to the corresponding console logfile, to get additional information.

The Buildbot runs on a platform collection that represents the different "platform specialties" quite
well:

• Windows 8.1 x86 (Win32, little endian, Visual Studio 2013)

• Windows Server 2012 R2 x86-64 (Win64, little endian, Visual Studio 2013)

10

• Ubuntu x86-64 (Linux, little endian, gcc, Clang)

• macOS x86-64 (BSD, little endian, Clang)

and two buildslaves that run static code analysis to help spot coding issues:

• Visual Studio Code Analysis (Win64, little endian, VS 2013)

• Clang Code Analysis (Linux, little endian, Clang)

Each platform is represented at the status page by a single column, the most recent entries are at
the top.

Reporting problems and getting help

If you have problems, or need help with Wireshark, there are several places that may be of interest
to you (well, beside this guide of course).

Website

You will find lots of useful information on the Wireshark homepage at https://www.wireshark.org/.

Wiki

The Wireshark Wiki at https://wiki.wireshark.org/ provides a wide range of information related to
Wireshark and packet capturing in general. You will find a lot of information not part of this
developer’s guide. For example, there is an explanation how to capture on a switched network, an
ongoing effort to build a protocol reference and a lot more.

And best of all, if you would like to contribute your knowledge on a specific topic (maybe a network
protocol you know well), you can edit the Wiki pages by simply using your webbrowser.

FAQ

The "Frequently Asked Questions" will list often asked questions and the corresponding answers.

Before sending any mail to the mailing lists below, be sure to read the FAQ, as it will often answer
any questions you might have. This will save yourself and others a lot of time. Keep in mind that a
lot of people are subscribed to the mailing lists.

You will find the FAQ inside Wireshark by clicking the menu item Help/Contents and selecting the
FAQ page in the upcoming dialog.

An online version is available at the Wireshark website: https://www.wireshark.org/faq.html. You
might prefer this online version as it’s typically more up to date and the HTML format is easier to
use.

11

Other sources

If you don’t find the information you need inside this book, there are various other sources of
information:

• The file doc/README.developer and all the other README.xxx files in the source code. These are
various documentation files on different topics

Read the README

README.developer is packed full with all kinds of details relevant to the developer

NOTE

• The Wireshark source code

• Tool documentation of the various tools used (e.g. manpages of sed, gcc, etc.)

• The different mailing lists. See Mailing Lists

of Wireshark source code. Its companion file README.dissector advises you around
common pitfalls, shows you basic layout of dissector code, shows details of the APIs
available to the dissector developer, etc.

Mailing Lists

There are several mailing lists available on specific Wireshark topics:

wireshark-announce

This mailing list will inform you about new program releases, which usually appear about every
4-8 weeks.

wireshark-users

This list is for users of Wireshark. People post questions about building and using Wireshark,
others (hopefully) provide answers.

wireshark-dev

This list is for Wireshark developers. People post questions about the development of Wireshark,
others (hopefully) provide answers. If you want to start developing a protocol dissector, join this
list.

wireshark-bugs

This list is for Wireshark developers. Every time a change to the bug database occurs, a mail to
this mailing list is generated. If you want to be notified about all the changes to the bug database,
join this list. Details about the bug database can be found in Bug database (Bugzilla).

wireshark-commits

This list is for Wireshark developers. Every time a change to the GIT repository is checked in, a
mail to this mailing list is generated. If you want to be notified about all the changes to the GIT
repository, join this list. Details about the GIT repository can be found in The Wireshark Git

12

repository.

You can subscribe to each of these lists from the Wireshark web site: https://www.wireshark.org/

lists/. From there, you can choose which mailing list you want to subscribe to by clicking on the

Subscribe/Unsubscribe/Options button under the title of the relevant list. The links to the archives
are included on that page as well.

The archives are searchable

TIP

You can search in the list archives to see if someone previously asked the same
question and maybe already got an answer. That way you don’t have to wait until
someone answers your question.

Bug database (Bugzilla)

The Wireshark community collects bug reports in a Bugzilla database at https://bugs.wireshark.org/.
This database is filled with manually filed bug reports, usually after some discussion on wireshark­dev, and automatic bug reports from the Buildbot tools.

Q&A Site

The Wireshark Q&A site at https://ask.wireshark.org/ offers a resource where questions and
answers come together. You have the option to search what questions were asked before and what
answers were given by people who knew about the issue. Answers are graded, so you can pick out
the best ones easily. If your issue isn’t discussed before you can post one yourself.

Reporting Problems

Test with the latest version

NOTE

If you report problems, provide as much information as possible. In general, just think about what
you would need to find that problem, if someone else sends you such a problem report. Also keep in
mind that people compile/run Wireshark on a lot of different platforms.

When reporting problems with Wireshark, it is helpful if you supply the following information:

1. The version number of Wireshark and the dependent libraries linked with it, e.g. Qt, GLib, etc.

You can obtain this with the command wireshark -v.

2. Information about the platform you run Wireshark on.

3. A detailed description of your problem.

4. If you get an error/warning message, copy the text of that message (and also a few lines before
and after it, if there are some), so others may find the build step where things go wrong. Please

Before reporting any problems, please make sure you have installed the latest
version of Wireshark. Reports on older maintenance releases are usually met with
an upgrade request.

13

don’t give something like: "I get a warning when compiling x" as this won’t give any direction to
look at.

Don’t send large files

Do not send large files (>100KB) to the mailing lists, just place a note that further

NOTE

WARNING

data is available on request. Large files will only annoy a lot of people on the list
who are not interested in your specific problem. If required, you will be asked for
further data by the persons who really can help you.

Don’t send confidential information

If you send captured data to the mailing lists, or add it to your bug report, be
sure it doesn’t contain any sensitive or confidential information, such as
passwords. Visibility of such files can be limited to certain groups in the
Bugzilla database though.

Reporting Crashes on UNIX/Linux platforms

When reporting crashes with Wireshark, it is helpful if you supply the traceback information
(besides the information mentioned in Reporting Problems).

You can obtain this traceback information with the following commands:

$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& bt.txt
backtrace
^D
$

Using GDB

Type the characters in the first line verbatim. Those are back-tics there.

backtrace is a gdb command. You should enter it verbatim after the first line shown

NOTE

above, but it will not be echoed. The ^D (Control-D, that is, press the Control key and
the D key together) will cause gdb to exit. This will leave you with a file called bt.txt
in the current directory. Include the file with your bug report.

If you do not have gdb available, you will have to check out your operating system’s
debugger.

You should mail the traceback to wireshark-dev[AT]wireshark.org or attach it to your bug report.

Reporting Crashes on Windows platforms

You can download Windows debugging symbol files (.pdb) from the following locations:

14

• 32-bit Windows: https://www.wireshark.org/download/win32/all-versions/

• 64-bit Windows: https://www.wireshark.org/download/win64/all-versions/

Files are named "Wireshark-pdb-winbits-x.y.z.zip" to match their corresponding "Wireshark­winbits-x.y.z.exe" installer packages.

15

Quick Setup

UNIX: Installation

All the tools required are usually installed on a UNIX developer machine.

If a tool is not already installed on your system, you can usually install it using the package in your
distribution: aptitude, yum, Synaptic, etc.

If an install package is not available or you have a reason not to use it (maybe because it’s simply
too old), you can install that tool from source code. The following sections will provide you with the
webpage addresses where you can get these sources.

Win32/64: Step-by-Step Guide

A quick setup guide for Win32 and Win64 with recommended configuration.

Unless you know exactly what you are doing, you should strictly follow the
recommendations below. They are known to work and if the build breaks,
please re-read this guide carefully.

WARNING

Known traps are:

1. Not using the correct (x86 or x64) version of the Visual Studio command
prompt.

2. Not copying/downloading the correct version of vcredist_xYY.exe.

Install Microsoft C compiler and SDK

You need to install, in exactly this order:

1. C compiler: Download and install “Microsoft Visual Studio 2015 Community Edition.” This is a
small download that then downloads all the other required parts (which are quite large).

Select the "Custom" install and then uncheck all the optional components other than "Common
Tools for Visual C++ 2015" (unless you want to use them for purposes other than Wireshark).

You can use Chocolatey to install Visual Studio, to correctly configure the installation, copy the
deployment XML file msvc2015AdminDeployment.xml from the source code tools directory and
pass the path the file to the chocolatey install command:

PS$>choco install -y VisualStudio2015Community --timeout 0 -package-parameters "-­AdminFile path\to\msvc2015AdminDeployment.xml"

16

You can use other Microsoft C compiler variants, but VS2015 is used to build the development
releases and is the preferred option. It’s possible to compile Wireshark with a wide range of
Microsoft C compiler variants. For details see Ninja.

You may have to do this as Administrator.

Compiling with gcc or Clang is not recommended and will certainly not work (at least not without a
lot of advanced tweaking). For further details on this topic, see GNU compiler toolchain (UNIX and

UNIX-like platforms only). This may change in future as releases of Visual Studio add more cross-

platform support.

Why is this recommended? While this is a huge download, Visual Studio 2015 Community Edition is
the only free (as in beer) versions that includes the Visual Studio integrated debugger. Visual Studio
2015 is also used to create official Wireshark builds, so it will likely have fewer development­related problems.

Install Qt

The main Wireshark application uses the Qt windowing toolkit. To install Qt download the Qt
Online Installer for Windows from the Qt Project "Download Open Source" page and select a

component that matches your target system and compiler. For example, the “msvc2015 64-bit”
component is used to build the official 64-bit packages. You can deselect all the Qt xxxx (e.g. Qt
Charts) components as they aren’t required.

Note that installation of separate Qt components are required for 32 bit and 64 bit builds, e.g.
“msvc2015 32-bit” and “msvc2015 64-bit”. The environment variable QT5_BASE_DIR should be set as
appropriate for your environment and should point to the Qt directory that contains the bin
directory, e.g. C:\Qt\5.9.1\msvc2015_64

The Qt maintenance tool (C:\Qt\MaintenanceTool.exe) can be used to upgrade Qt to newer versions.

Recommended: Install Chocolatey

Chocolatey is a native package manager for Windows. There are packages for most of the software

listed below. Along with traditional Windows packages it supports the Python Package Index and
Cygwin.

Chocolatey tends to install packages into its own path (%ChocolateyInstall%). In most cases this is
OK, but in some instances (Python in particular) this might not be what you want. You can install
Chocolatey packages using the command choco install.

17

> rem Flex and Bison are required.
> choco install -y winflexbison
> rem Git, CMake, Perl, Python, etc are also required, but can be installed
> rem via their respective installation packages.
> choco install -y git cmake
> rem Choose one of Strawberry...
> choco install -y strawberryperl
> rem ...or ActiveState Perl
> choco install -y activeperl
> rem This will likely install Python in a non-standard location, but
> rem should otherwise work.
> choco install -y python3

Optional: Install Cygwin

On 32-bit Windows, download the 32-bit Cygwin installer and start it. On 64-bit Windows,

download the 64-bit Cygwin installer and start it.

Cygwin is no longer required

NOTE

At the "Select Packages" page, you’ll need to select some additional packages which are not installed
by default. Navigate to the required Category/Package row and, if the package has a "Skip" item in
the "New" column, click on the "Skip" item so it shows a version number for:

• Devel/bison (or install Win flex-bison — see Chocolatey above)

• Devel/flex (or install Win flex-bison — see Chocolatey above)

• Devel/git (recommended, but it’s also available via Chocolatey — see the Git discussion below)

• Interpreters/perl

• Utils/patch (only if needed) (may be Devel/patch instead)

• Text/docbook-xml45 (only needed if you’re building the documenation)

You might also have to install

• Interpreters/m4

In the past the Wireshark development toolchain depended on Cygwin, but it it no
longer required. Although you can often use the Cygwin version of a particular tool
for Wireshark development that’s not always the case.

if installing Devel/bison doesn’t provide a working version of Bison. If m4 is missing bison will fail.

After clicking the [ Next ] button several times, the setup will then download and install the
selected packages (this may take a while).

18

Alternatively you can install Cygwin and its packages using Chocolatey:

PS$>choco install -y cygwin
PS$>choco install -y cyg-get

Chocolatey installs Cygwin in C:\tools\cygwin by default.

You can directly download packages via cyg-get

PS$>cyg-get docbook-xml45 [...]

Install Python

Get the Python 3.5 or 2.7 installer from http://python.org/download/ and install Python into the
default location (C:\Python35 or C:\Python27).

Why is this recommended? Cygwin’s /usr/bin/python is a Cygwin-specific symbolic link which
cannot be run from Windows. The native package is faster as well.

Alternatively you can install Python using Chocolatey:

PS$>choco install -y python3

or

PS$>choco install -y python2

Chocolatey installs Python in C:\tools\python3 and C:\tools\python2 by default.

Install Git

Please note that the following is not required to build Wireshark but can be quite helpful when
working with the sources.

Working with the Git source repositories is highly recommended, as described in Obtain the

Wireshark sources. It is much easier to update a personal source tree (local repository) with Git

rather than downloading a zip file and merging new sources into a personal source tree by hand. It
also makes first-time setup easy and enables the Wireshark build process to determine your
current source code revision.

There are several ways in which Git can be installed. Most packages are available at the URLs below
or via Chocolatey. Note that many of the GUI interfaces depend on the command line version.

19

If installing the Windows version of git select the Use Git from the Windows Command Prompt (in
chocolatey the /GitOnlyOnPath option). Do not select the Use Git and optional Unix tools from the
Windows Command Prompt option (in chocolatey the /GitAndUnixToolsOnPath option).

The Official Windows Installer

The official command-line installer is available at https://git-scm.com/download/win.

Git Extensions

Git Extensions is a native Windows graphical Git client for Windows. You can download the
installer from https://github.com/gitextensions/gitextensions/releases/latest.

TortoiseGit

TortoiseGit is a native Windows graphical Git similar to TortoiseSVN. You can download the
installer from https://tortoisegit.org/download/.

Command Line client via Chocolatey

The command line client can be installed (and updated) using Chocolatey:

PS$> choco install -y git

Others

A list of other GUI interfaces for Git can be found at https://git-scm.com/downloads/guis

Install CMake

Get the CMake installer from https://cmake.org/download/ and install CMake into the default
location. Ensure the directory containing cmake.exe is added to your path.

Alternatively you can install CMake using Chocolatey:

PS$>choco install -y cmake

Chocolatey ensures cmake.exe is on your path.

Install Asciidoctor, Xsltproc, And DocBook

Asciidoctor can be run directly as a Ruby script or via a Java wrapper (AsciidoctorJ). It is used in

conjunction with Xsltproc and DocBook to generate the documenation you’re reading and the
User’s Guide.

20

The easiest way to install them on Windows is via Chocolatey:

PS$>choco install -y asciidoctorj xsltproc docbook-bundle

Chocolatey ensures that asciidoctorj.exe and xsltproc.exe is on your path and that xsltproc uses the
DocBook catalog.

Install and Prepare Sources

Make sure everything works

TIP

Download sources Download Wireshark sources into C:\Development\wireshark using either the

command line or Git Extensions:

Using the command line:

It’s a good idea to make sure Wireshark compiles and runs at least once before you
start hacking the Wireshark sources for your own project. This example uses Git
Extensions but any other Git client should work as well.

>cd C:\Development
>git clone https://code.wireshark.org/review/wireshark

Using Git extensions:

1. Open the Git Extensions application. By default Git Extensions will show a validation checklist
at startup. If anything needs to be fixed do so now. You can bring up the checklist at any time via

Tools › Settings.

2. In the main screen select Clone repository. Fill in the following:

Repository to clone: https://code.wireshark.org/review/wireshark

Destination: Your top-level development directory, e.g. C:\Development.

Subdirectory to create: Anything you’d like. Usually wireshark.

Check your paths

TIP

3. Click the [ Clone ] button. Git Extensions should start cloning the Wireshark repository.

Make sure your repository path doesn’t contain spaces.

Open a Visual Studio Command Prompt

From the Start Menu (or Start Screen), navigate to the ‘Visual Studio 2015’ folder and choose the

21

Command Prompt appropriate for the build you wish to make, e.g. ‘VS2015 x64 Native Tools
Command Prompt’ for a 64-bit version or ‘VS2015 x86 Native Tools Command Prompt’ for a 32-bit
version. Depending on your version of Windows the Command Prompt list might be directly under
‘Visual Studio 2015’ or you might have to dig for it under multiple folders, e.g. ‘Visual Studio 2015 →
Visual Studio Tools → Windows Desktop Command Prompts’.

Pin the items to the Task Bar

TIP

All subsequent operations take place in this Command Prompt window.

1. Set environment variables to control the build.

Set the following environment variables, using paths and values suitable for your installation:

Pin the Command Prompt you use to the Task Bar for easy access.

> rem Let CMake determine the library download directory name under
> rem WIRESHARK_BASE_DIR or set it explicitly by using WIRESHARK_LIB_DIR.
> rem Set *one* of these.
> set WIRESHARK_BASE_DIR=C:\Development
> rem set WIRESHARK_LIB_DIR=c:\wireshark-win64-libs
> rem Set the Qt installation directory
> set QT5_BASE_DIR=C:\Qt\5.9.1\msvc2015_64
> rem Append a custom string to the package version. Optional.
> set WIRESHARK_VERSION_EXTRA=-YourExtraVersionInfo

If your Cygwin installation path is not automatically detected by CMake, you can explicitly
specify it with the following environment variable:

> rem Chocolatey installs Cygwin in an odd location
> set
WIRESHARK_CYGWIN_INSTALL_PATH=C:\ProgramData\chocolatey\lib\Cygwin\tools\cygwin

If you are using a version of Visual Studio earlier than VS2012 then you must set an additional
env var, e.g. for VS2010 set the following:

> set VisualStudioVersion=10.0

Setting these variables could be added to a batch file to be run after you open the Visual Studio
Tools Command Prompt.

TIP

Qt 5.9 is a "long term support" branch of Qt5. We recommend using it to compile
Wireshark on Windows.

22

2. Create and change to the correct build directory. CMake is best used in an out-of-tree build
configuration where the build is done in a separate directory to the source tree, leaving the
source tree in a pristine state. 32 and 64 bit builds require a separate build directory. Create (if
required) and change to the appropriate build directory.

> mkdir C:\Development\wsbuild32
> cd C:\Development\wsbuild32

to create and jump into the build directory.

The build directory can be deleted at any time and the build files regenerated as detailed in

Generate the build files.

Generate the build files

CMake is used to process the CMakeLists.txt files in the source tree and produce build files
appropriate for your system.

You can generate Visual Studio solution files to build either from within Visual Studio, or from the
command line with MSBuild. CMake can also generate other build types but they aren’t supported.

The initial generation step is only required the first time a build directory is created. Subsequent
builds will regenerate the build files as required.

If you’ve closed the Visual Studio Command Prompt prepare it again.

To generate the build files enter the following at the Visual Studio command prompt:

> cmake -G "Visual Studio 14 2015" ..\wireshark

Adjusting the paths as required to Python and the wireshark source tree. To use a different
generator modify the -G parameter. cmake -G lists all the CMake supported generators, but only
Visual Studio is supported for Wireshark builds.

To build an x64 version, the -G parameter must have a Win64 suffix, e.g. -G "Visual Studio 14 2015

Win64":

> cmake -G "Visual Studio 14 2015 Win64" ..\wireshark

The CMake generation process will download the required 3rd party libraries (apart from Qt) as
required, then test each library for usability before generating the build files.

At the end of the CMake generation process the following should be displayed:

23

-- Configuring done

-- Generating done

-- Build files have been written to: C:/Development/wsbuild32

If you get any other output, there is an issue in your envirnment that must be rectified before
building. Check the parameters passed to CMake, especially the -G option and the path to the
Wireshark sources and the environment variables WIRESHARK_BASE_DIR and QT5_BASE_DIR.

Build Wireshark

Now it’s time to build Wireshark!

1. If you’ve closed the Visual Studio Command Prompt prepare it again.

2. Run

> msbuild /m /p:Configuration=RelWithDebInfo Wireshark.sln

to build Wireshark.

3. Wait for Wireshark to compile. This will take a while, and there will be a lot of text output in the
command prompt window

4. Run C:\Development\wsbuild32\run\RelWithDebInfo\Wireshark.exe and make sure it starts.

5.

Open Help › About. If it shows your "private" program version, e.g.: Version 2.9.0­myprotocol123 congratulations! You have compiled your own version of Wireshark!

You may also open the Wireshark solution file (Wireshark.sln) in the Visual Studio IDE and build
there.

If compilation fails for suspicious reasons after you changed some source files try to

TIP

The build files produced by CMake will regenerate themselves if required by changes in the source
tree.

clean the build files by running msbuild /m /p:Configuration=RelWithDebInfo

Wireshark.sln /t:Clean and then building the solution again.

Debug Environment Setup

You can debug using the Visual Studio Debugger or WinDbg. See the section on using the Debugger

Tools.

24

Optional: Create User’s and Developer’s Guide

Detailed information to build these guides can be found in the file docbook\README.adoc in the
Wireshark sources.

Optional: Create a Wireshark Installer

Note: You should have successfully built Wireshark before doing the following.

If you want to build your own Wireshark-win32-2.9.0-myprotocol123.exe, you’ll need NSIS. You can
download it from http://nsis.sourceforge.net.

Note that the 32-bit version of NSIS will work for both 32-bit and 64-bit versions of Wireshark. NSIS
v3 is required.

Note: If you do not yet have a copy of vcredist_x86.exe or vcredist_x64.exe in ./wireshark-winXX-libs
(where XX is 32 or 64) you will need to download the appropriate file and place it in ./wireshark-
winXX-libs before starting this step.

If building an x86 version using a Visual Studio “Express” edition or an x64 version with any
edition, then you must have the appropriate vcredist file for your compiler in the support libraries
directory (vcredist_x86.exe in wireshark-32-libs or vcredist_x64.exe in wireshark-win64-libs).

The files can be located in the Visual Studio install directory for non-Express edition builds, or
downloaded from Microsoft for Expresss edition builds.

Note you must use the correct version of vcredist for your compiler, unfortunately they all have the
same name (vcredist_x86.exe or vcredist_x64.exe). You can use Windows Explorer and examine the
‘Properties → Details’ tab for a vcredist file to determine which compiler version the file is for use
with.

If you’ve closed the Visual Studio Command Prompt prepare it again.

Run

> msbuild /m /p:Configuration=RelWithDebInfo nsis_package_prep.vcxproj
> msbuild /m /p:Configuration=RelWithDebInfo nsis_package.vcxproj

to build a Wireshark installer. If you sign your executables you should do so between the
“nsis_package_prep” and “nsis_package” steps.

Run

> packaging\nsis\wireshark-win64-{wireshark-version}-myprotocol123.exe

25

to test your new installer. It’s a good idea to test on a different machine than the developer
machine. Note that if you’ve built an x86 version, the installer name will contain “win32”.

26

Work with the Wireshark sources

Introduction

This chapter will explain how to work with the Wireshark source code. It will show you how to:

• Get the source

• Compile it on your machine

• Submit changes for inclusion in the official release

This chapter will not explain the source file contents in detail, such as where to find specific
functionality. This is done in Source overview.

The Wireshark Git repository

Git is used to keep track of the changes made to the Wireshark source code. The code is stored

inside Wireshark project’s Git repository located at a server at the wireshark.org domain.

Changes to the official repository are managed using the Gerrit code review system. Gerrit makes it
easy to test and discuss changes before they are pushed to the main repository. For an overview of
Gerrit see the Quick Introduction.

Why Git?

Git is a fast, flexible way of managing source code. It allows large scale distributed development
and ensures data integrity.

Why Gerrit?

Gerrit makes it easy to contribute. You can sign in with any OpenID provider and push your
changes. It’s usable from both the web and command line and is integrated with many popular
tools.

Git is our third revision control system

NOTE

Using Wireshark’s Git repository you can:

Wireshark originally used Concurrent Versions System (CVS) and migrated to

Subversion in July 2004. The Subversion repository was subsequently migrated to

Git in January 2014.

• Keep your private sources up to date with very little effort

• Get a mail notification when the official source code changes

• Get the source files from any previous release (or any other point in time)

• Have a quick look at the sources using a web interface

27

• See which person changed a specific piece of code

• and much more

The web interface to the Git repository

If you need a quick look at the Wireshark source code you can browse the most recent file versions
in the master branch using Gitweb:

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=tree

You can also view commit logs, branches, tags, and past revisions:

https://code.wireshark.org/review/gitweb?p=wireshark.git

Like most revision control systems, Git uses branching to manage different copies of the source
code and allow parallel development. Wireshark uses the following branches for official releases:

• master: Main feature development and odd-numbered "feature" releases.

• master-x.y: Stable release maintenance. For example, master-1.10 is used to manage the 1.10.x
official releases.

Obtain the Wireshark sources

There are several ways to obtain the sources from Wireshark’s Git repository.

Check out from the master branch using Git.

Using Git is much easier than synchronizing your source tree by hand using any of the

TIP

NOTE

The age mentioned in the following sections indicates the age of the most recent change in that set
of the sources.

snapshot methods mentioned below. Git merges changes into your personal source
tree in a very comfortable and quick way. So you can update your source tree several
times a day without much effort.

Keep your sources up to date

The following ways to retrieve the Wireshark sources are sorted in decreasing
source timeliness. If you plan to commit changes you’ve made to the sources, it’s a
good idea to keep your private source tree as current as possible.

Git over SSH or HTTPS

Recommended for development purposes.

Age: a few minutes.

28

You can use a Git client to download the source code from Wireshark’s code review system. Anyone
can clone from the anonymous git URL:

• https://code.wireshark.org/review/wireshark

If you create a Gerrit account you can clone from an authenticated URL:

• ssh://your.username@code.wireshark.org:29418/wireshark

• https://your.username@code.wireshark.org/review/wireshark

SSH lets you use Gerrit on the command line. HTTP lets you access the repository in environments
that block the Gerrit SSH port (29418). At the time of this writing (early 2014) we recommend that
you use the SSH interface. However, this may change as more tools take advantage of Gerrit’s HTTP
REST API.

The following example shows how to get up and running on the command line. See Git client for
information on installing and configuring graphical Git and Gerrit clients.

1. Sign in to https://code.wireshark.org/review using OpenID (click Register or Sign In in the upper
right corner of the web page). Follow the login instructions.

2. In the upper right corner of the web page, click on your account name and select Settings.

3. Under Profile set a username. This will be the username that you use for SSH access. For the
steps below we’ll assume that your username is henry.perry.

4. Select SSH Public Keys and add one or more keys. You will typically upload a key for each
computer that you use.

5. Install git-review. This is an installable package in many Linux distributions. You can also install
it as a Python package. (This step isn’t strictly necessary but it makes working with Gerrit much
easier.) To install it from Chocolatey run

# Make sure "Scripts" is in our path
PS$>$env:path += ";C:\tools\python2\Scripts"
PS$>choco install pip
PS$>choco install git-review -source python

6. Now on to the command line. First, make sure git works:

$ git --version

7. If this is your first time using Git, make sure your username and email address are configured.
This is particularly important if you plan on uploading changes.

29

$ git config --global user.name "Henry Perry"
$ git config --global user.email henry.perry@example.com

8. Next, clone the Wireshark master:

$ git clone ssh://henry.perry@code.wireshark.org:29418/wireshark

The checkout only has to be done once. This will copy all the sources of the latest version
(including directories) from the server to your machine. This may take some time depending on
the speed of your internet connection.

9. Then set up the git pre-commit hook and the push address:

$ cd wireshark
$ cp tools/pre-commit .git/hooks/
$ git config --add remote.origin.push HEAD:refs/for/master

This will run a few basic checks on commit to make sure that the code does not contain trivial
errors. It will also warn if it is out of sync with its master copy in the tools/ directory. The change
in the push address is necessary: We have an asymmetric process for pulling and pushing
because of gerrit.

10. Initialize git-review.

$ git review -s

This prepares your local repository for use with Gerrit, including installing the commit-msg hook
script.

Git web interface

Recommended for informational purposes only, as only individual files can be downloaded.

Age: a few minutes (same as anonymous Git access).

The entire source tree of the Git repository is available via a web interface at

https://code.wireshark.org/review/gitweb?p=wireshark.git. You can view each revision of a

particular file, as well as diffs between different revisions. You can also download individual files
but not entire directories.

30

Buildbot Snapshots

Recommended for development purposes, if direct Git access isn’t possible (e.g. because of a
restrictive firewall).

Age: some number of minutes (a bit older than the Git access).

The Buildbot server will automatically start to generate a snapshot of Wireshark’s source tree after
a source code change is committed. These snapshots can be found at https://www.wireshark.org/

download/automated/src/.

If Git access isn’t possible, e.g. if the connection to the server isn’t possible because of a corporate
firewall, the sources can be obtained by downloading the Buildbot snapshots. However, if you are
going to maintain your sources in parallel to the "official" sources for some time, it’s recommended
to use the anonymous (or authenticated) Git access if possible (believe it, it will save you a lot of
time).

Released sources

Recommended for building pristine packages.

Age: from days to weeks.

The official source releases can be found at https://www.wireshark.org/download.html. You should
use these sources if you want to build Wireshark on your platform for with minimal or no changes,
such Linux distribution packages.

The differences between the released sources and the sources in the Git repository will keep on
growing until the next release is made. (At the release time, the released and latest Git repository
versions are identical again :-).

Update the Wireshark sources

After you’ve obtained the Wireshark sources for the first time, you might want to keep them in sync
with the sources at the upstream Git repository.

Take a look at the Buildbot first

TIP

As development evolves, the Wireshark sources are compilable most of the time — but
not always. You should take a look at https://buildbot.wireshark.org/trunk/waterfall
before fetching or pulling to make sure the builds are in good shape.

Update Using Git

After you clone Wireshark’s Git repository you can update by running

31

$ git status
$ git pull

Depending on your preferences and work habits you might want to run git pull --rebase or git

checkout -b my-topic-branch origin/master instead.

Fetching should only take a few seconds, even on a slow internet connection. It will update your
local repository history with changes from the official repository. If you and someone else have
changed the same file since the last update, Git will try to merge the changes into your private file
(this works remarkably well).

Update Using Source Archives

There are several ways to download the Wireshark source code (as described in Obtain the

Wireshark sources), but bringing the changes from the official sources into your personal source

tree is identical.

First of all, you will download the new .tar.xz file of the official sources the way you did it the first
time.

If you haven’t changed anything in the sources, you could simply throw away your old sources and
reinstall everything just like the first time. But be sure, that you really haven’t changed anything. It
might be a good idea to simply rename the "old" dir to have it around, just in case you remember
later that you really did change something before.

If you have changed your source tree, you have to merge the official changes since the last update
into your source tree. You will install the content of the .tar.xz file into a new directory and use a
good merge tool (e.g. http://winmerge.sourceforge.net/for Win32) to bring your personal source tree
in sync with the official sources again.

This method can be problematic and can be much more difficult and error-prone than using Git.

Build Wireshark

The sources contain several documentation files. It’s a good idea to read these files first. After
obtaining the sources, tools and libraries, the first place to look at is doc/README.developer. Inside
you will find the latest information for Wireshark development for all supported platforms.

Build Wireshark before changing anything

TIP

Building Wireshark for the first time depends on your platform.

32

It is a very good idea to first test your complete build environment (including running
and debugging Wireshark) before making any changes to the source code (unless
otherwise noted).

Building on Unix

The recommended (and fastest) way to build Wireshark is with CMake and Ninja:

# Starting from your Wireshark source directory, create a build directory
# alongside it.
$ cd ..
$ mkdir wireshark-ninja
$ cd wireshark-ninja
# Assumes your source directory is named "wireshark".
$ cmake -G Ninja ../wireshark
$ ninja (or cmake --build .)

If you need to build with a non-standard configuration, you can run

$ cmake -LH ../wireshark

to see what options you have.

Win32 native

Follow the build procedure in Build Wireshark to build Wireshark.

After the build process has successfully finished, you should find a Wireshark.exe and some other
files in the run\RelWithDebInfo directory.

Run generated Wireshark

Tip!

TIP

Unix/Linux

After a successful build you can run Wireshark right from the build directory. Still the program
would need to know that it’s being run from the build directory and not from its install location.
This has an impact on the directories where the program can find the other parts and relevant data
files.

An already installed Wireshark may interfere with your newly generated version in
various ways. If you have any problems getting your Wireshark running the first time,
it might be a good idea to remove the previously installed version first.

In order to run the Wireshark from the build directory set the environment variable

WIRESHARK_RUN_FROM_BUILD_DIRECTORY and run Wireshark. If your platform is properly setup, your

build directory and current working directory are not in your PATH, so the command line to launch

33

Wireshark would be:

$ WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1 ./wireshark

There’s no need to run Wireshark as root user, you just won’t be able to capture. When you opt to
run Wireshark this way, your terminal output can be informative when things don’t work as
expected.

Win32 Native

During the build all relevant program files are collected in a subdirectory run\RelWithDebInfo. You
can run the program from there by launching the Wireshark.exe executable.

Debug Your Generated Wireshark

Unix/Linux

You can debug using command-line debuggers such as gdb, dbx, or lldb. If you prefer a graphic
debugger, you can use the Data Display Debugger (ddd).

Additional traps can be set on GLib by setting the G_DEBUG environment variable:

$ G_DEBUG=fatal_criticals ddd wireshark

See http://library.gnome.org/devel/glib/stable/glib-running.html

Win32 native

You can debug using the Visual Studio Debugger or WinDbg. See the section on using the Debugger

Tools.

Make changes to the Wireshark sources

As the Wireshark developers are working on many different platforms, a lot of editors are used to
develop Wireshark (emacs, vi, Microsoft Visual Studio and many, many others). There’s no
"standard" or "default" development environment.

There are several reasons why you might want to change the Wireshark sources:

• Add support for a new protocol (a new dissector)

• Change or extend an existing dissector

• Fix a bug

34

• Implement a glorious new feature

The internal structure of the Wireshark sources will be described in Wireshark Development.

Ask the wireshark-dev mailing list before you start a new development task.

If you have an idea what you want to add or change it’s a good idea to contact the

TIP

developer mailing list (see Mailing Lists) and explain your idea. Someone else might
already be working on the same topic, so a duplicated effort can be reduced. Someone
might also give you tips that should be thought about (like side effects that are
sometimes very hard to see).

Contribute your changes

If you have finished changing the Wireshark sources to suit your needs, you might want to
contribute your changes back to the Wireshark community. You gain the following benefits by
contributing your improvements:

• It’s the right thing to do. Other people who find your contributions useful will appreciate them,
and you will know that you have helped people in the same way that the developers of
Wireshark have helped you.

• You get free enhancements. By making your code public, other developers have a chance to make
improvements, as there’s always room for improvements. In addition someone may implement
advanced features on top of your code, which can be useful for yourself too.

• You save time and effort. The maintainers and developers of Wireshark will maintain your code
as well, updating it when API changes or other changes are made, and generally keeping it in
tune with what is happening with Wireshark. So if Wireshark is updated (which is done often),
you can get a new Wireshark version from the website and your changes will already be
included without any effort for you.

There’s no direct way to push changes to the Git repository. Only a few people are authorised to
actually make changes to the source code (check-in changed files). If you want to submit your
changes, you should upload them to the code review system at https://code.wireshark.org/review.
This requires you to set up git as described at Git over SSH or HTTPS.

Some tips for a good patch

Some tips that will make the merging of your changes into Git much more likely (and you want
exactly that, don’t you?):

• Use the latest Git sources. It’s a good idea to work with the same sources that are used by the
other developers. This usually makes it much easier to apply your patch. For information about
the different ways to get the sources, see Obtain the Wireshark sources.

• Update your sources just before making a patch. For the same reasons as the previous point.

35

• Inspect your patch carefully. Run git diff and make sure you aren’t adding, removing, or
omitting anything you shouldn’t.

• Find a good descriptive topic name for your patch. Short, specific names are preferred.
snowcone-machine-protocol is good, your name or your company name isn’t.

• Don’t put unrelated things into one large patch. A few smaller patches are usually easier to apply
(but also don’t put every changed line into a separate patch.

In general, making it easier to understand and apply your patch by one of the maintainers will
make it much more likely (and faster) that it will actually be applied.

Please remember

NOTE

Wireshark is a volunteer effort. You aren’t paying to have your code reviewed and
integrated.

Code Requirements

The core maintainers have done a lot of work fixing bugs and making code compile on the various
platforms Wireshark supports.

To ensure Wireshark’s source code quality, and to reduce the workload of the core maintainers,
there are some things you should think about before submitting a patch.

Pay attention to the coding guidelines

WARNING

• Follow the Wireshark source code style guide. Just because something compiles on your
platform, that doesn’t mean it’ll compile on all of the other platforms for which Wireshark is
built. Wireshark runs on many platforms, and can be compiled with a number of different
compilers. See Coding Stylefor details.

Ignoring the code requirements will make it very likely that your patch will be
rejected.

• Submit dissectors as built-in whenever possible. Developing a new dissector as a plugin is a good
idea because compiling and testing is quicker, but it’s best to convert dissectors to the built-in
style before submitting for check in. This reduces the number of files that must be installed with
Wireshark and ensures your dissector will be available on all platforms.

This is no hard-and-fast rule though. Many dissectors are straightforward so they can easily be
put into "the big pile", while some are ASN.1 based which takes a different approach, and some
multiple source file dissectors are more suitable to be placed separately as plugins.

• Ensure Wireshark Git Pre-Commit Hook is in the repository. In your local repository directory,
there will be a .git/hooks/ directory, with sample git hooks for running automatic actions before
and after git commands. You can also optionally install other hooks that you find useful.

In particular, the pre-commit hook will run every time you commit a change and can be used to

36

automatically check for various errors in your code. The sample git pre-commit hook simply
detects whitespace errors such as mixed tabs and spaces; to install it just remove the .sample
suffice from the existing pre-commit.sample file.

Wireshark provides a custom pre-commit hook which does additional Wireshark-specific API
and formatting checks, but it might return false positives. If you want to install it, copy the pre­commit file from the tools directory (cp ./tools/pre-commit .git/hooks/) and make sure it is
executable or it will not be run.

If the pre-commit hook is preventing you from committing what you believe is a valid change,
you can run git commit --no-verify to skip running the hooks. Warning: using --no-verify avoids
the commit-msg hook, and thus will not automatically add the required Change-ID to your
commit. In case you are not updating an existing patch you may generate a Change-ID by
running git review -i (or git commit --amend if don’t use git review).

Additionally, if your system supports symbolic links (like Linux), you can use them instead of
copying files. Running ln -s ./tools/pre-commit .git/hooks creates a symbolic link that will make
the hook to be up-to-date with the current master. The same can be done for commit-msg script.

• Fuzz test your changes! Fuzz testing is a very effective way to automatically find a lot of
dissector related bugs. You’ll take a capture file containing packets affecting your dissector and
the fuzz test will randomly change bytes in this file, so that unusual code paths in your dissector
are checked. There are tools available to automatically do this on any number of input files, see:

https://wiki.wireshark.org/FuzzTesting for details.

Uploading your changes

When you’re satisfied with your changes (and obtained any necessary approval from your
organization) you can upload them for review at https://code.wireshark.org/review. This requires a
Gerrit Code Review account as described at The Wireshark Git repository.

Changes should be pushed to a magical "refs/for" branch in Gerrit. For example, to upload your new
Snowcone Machine Protocol dissector you could push to refs/for/master with the topic "snowcone­machine":

$ git push ssh://my.username@code.wireshark.org:29418/wireshark
HEAD:refs/for/master/snowcone-machine

The username my.username is the one which was given during registration with the review system.

If you have git-review installed you can upload the change with a lot less typing:

# Note: The "-f" flag deletes your current branch.
$ git review -f

37

You can push using any Git client. Many clients have support for Gerrit, either built in or via an
additional module.

You might get one of the following responses to your patch request:

• Your patch is checked into the repository. Congratulations!

• You are asked to provide additional information, capture files, or other material. If you haven’t
fuzzed your code, you may be asked to do so.

• Your patch is rejected. You should get a response with the reason for rejection. Common reasons
include not following the style guide, buggy or insecure code, and code that won’t compile on
other platforms. In each case you’ll have to fix each problem and upload another patch.

• You don’t get any response to your patch. Possible reason: All the core developers are busy (e.g.,
with their day jobs or family or other commitments) and haven’t had time to look at your patch.
Don’t worry, if your patch is in the review system it won’t get lost.

If you’re concerned, feel free to add a comment to the patch or send an email to the developer’s list
asking for status. But please be patient: most if not all of us do this in our spare time.

Backporting a change

When a bug is fixed in the master branch it might be desirable or necessary to backport the fix to a
stable branch. You can do this in Git by cherry-picking the change from one branch to another.
Suppose you want to backport change 1ab2c3d4 from the master branch to master-1.10. Using
"pure Git" commands you would do the following:

38

# Create a new topic branch for the backport.
$ git checkout -b backport-g1ab2c3d4 origin/master-1.10

# Cherry-pick the change. Include a "cherry picked from..." line.
$ git cherry-pick -x 1ab2c3d4

# If there are conflicts, fix them.

# Compile and test the change.
$ make
$ ...

# OPTIONAL: Add entries to docbook/release-notes.asciidoc.
$ $EDITOR docbook/release-notes.asciidoc

# If you made any changes, update your commit:
$ git commit --amend -a

# Upload the change to Gerrit
$ git push ssh://my.username@code.wireshark.org:29418/wireshark HEAD:refs/for/master-

1.10/backport-g1ab2c3d4

If you want to cherry-pick a Gerrit change ID (e.g. I5e6f7890) you can use git review -X I5e6f7890
instead of git cherry-pick and git review instead of git push as described in the previous chapter.

Apply a patch from someone else

Sometimes you need to apply a patch to your private source tree. Maybe because you want to try a
patch from someone on the developer mailing list, or you want to check your own patch before
submitting.

Beware line endings

WARNING

Using patch

Given the file new.diff containing a unified diff, the right way to call the patch tool depends on what
the pathnames in new.diff look like. If they’re relative to the top-level source directory (for example,
if a patch to prefs.c just has prefs.c as the file name) you’d run it as:

If you have problems applying a patch, make sure the line endings (CR/LF) of
the patch and your source files match.

$ patch -p0 < new.diff

39

If they’re relative to a higher-level directory, you’d replace 0 with the number of higher-level
directories in the path, e.g. if the names are wireshark.orig/prefs.c and wireshark.mine/prefs.c, you’d
run it with:

$ patch -p1 < new.diff

If they’re relative to a subdirectory of the top-level directory, you’d run patch in that directory and
run it with -p0.

If you run it without -pat all, the patch tool flattens path names, so that if you have a patch file with
patches to CMakeLists.txt and wiretap/CMakeLists.txt, it’ll try to apply the first patch to the top-level
CMakeLists.txt and then apply the wiretap/CMakeLists.txt patch to the top-level CMakeLists.txt as
well.

At which position in the filesystem should the patch tool be called?

If the pathnames are relative to the top-level source directory, or to a directory above that directory,
you’d run it in the top-level source directory.

If they’re relative to a subdirectory — for example, if somebody did a patch to packet-ip.c and ran

diff or git diff in the epan/dissectors directory — you’d run it in that subdirectory. It is preferred

that people not submit patches like that, especially if they’re only patching files that exist in
multiple directories such as CMakeLists.txt.

Binary packaging

Delivering binary packages makes it much easier for the end-users to install Wireshark on their
target system. This section will explain how the binary packages are made.

Debian: .deb packages

The Debian Package is built using dpkg-buildpackage, based on information found in the source
tree under debian. See http://www.debian-administration.org/articles/336 for a more in-depth
discussion of the build process.

In the wireshark directory, type:

$ dpkg-buildpackage -rfakeroot -us -uc

to build the Debian Package.

Red Hat: .rpm packages

You can build an RPM package using the rpm-package target. The package version is derived from

40

the current git HEAD, so you must build from a git checkout.

The package is built using rpmbuild, which comes as standard on many flavours of Linux,
including Red Hat, Fedora, and openSUSE. The process creates a clean build environment in
${CMAKE_BINARY_DIR}/packaging/rpm/BUILD each time the RPM is built. The settings that control
the build are in ${CMAKE_SOURCE_DIR}/packaging/rpm/wireshark.spec.in. The generated SPEC file
contains CMake flags and other settings for the RPM build environment. Many of these come from
the parent CMake environment. Notable ones are:

• \_prefix is set to CMAKE_INSTALL_PREFIX. By default this is /usr/local. Pass

-DCMAKE_INSTALL_PREFIX=/usr to create a package that installs into /usr.

• Whether or not to create the “wireshark-qt” package (-DBUILD_wireshark).

• Lua, c-ares, nghttp2, and other library support (-DENABLE_...).

• Building with Ninja (-G Ninja).

In your build directory, type:

$ ninja rpm-package
# ...or, if you're using GNU make...
$ make rpm-package

to build the binary and source RPMs. When it is finished there will be a message stating where the
built RPM can be found.

This might take a while

This creates a tarball, extracts it, compiles Wireshark, and constructs a package. This
can take quite a long time. You can speed up the process by using Ninja. If you’re using

TIP

GNU make you can add the following to your ~/.rpmmacros file to enable parallel
builds:

%_smp_mflags -j %(grep -c processor /proc/cpuinfo)

Building the RPM package requires quite a few packages and libraries including GLib, gcc, bison,

flex, Asciidoctor, and Qt development tools such as uic and moc. The required Qt packages can

usually be obtained by installing the qt5-devel package. For a complete list of build requirements,
look for the “BuildRequires” lines in packaging/rpm/wireshark.spec.in.

macOS: .dmg packages

The macOS Package is built using macOS packaging tools, based on information found in the source
tree under packaging/macosx. It must be built using CMake. In your build directory, type:

41

$ make dmg_package

to build the macOS Package.

Win32: NSIS .exe installer

The Nullsoft Install System is a free installer generator for Windows systems. Instructions on
installing it can be found in Windows: NSIS (optional). NSIS is script based. You can find the main
Wireshark installer generation script at packaging/nsis/wireshark.nsi.

When building with CMake you must first build the nsis_package_prep target, followed by the
nsis_package target, e.g.

> msbuild /m /p:Configuration=RelWithDebInfo nsis_package_prep.vcxproj
> msbuild /m /p:Configuration=RelWithDebInfo nsis_package.vcxproj

Splitting the packaging projects in this way allows for code signing.

This might take a while

TIP

If everything went well, you will now find something like: wireshark-setup-2.9.0.exe in the
packaging/nsis directory in your build directory.

Please be patient while the package is compressed. It might take some time, even on
fast machines.

Win32: PortableApps .paf.exe package

PortableApps.com is an environment that lets users run popular applications from portable media
such as flash drives and cloud drive services.

Install the PortableApps.com Platform. Install for “all users”, which will place it in C:\PortableApps.
Add the following apps:

• NSIS Portable (Unicode)

• PortableApps.com Installer

• PortableApps.com Launcher

• PortableApps.com AppCompactor

When building with CMake you must first build the nsis_package_prep target (which takes care of
general packaging dependencies), followed by the portableapps_package target, e.g.

42

> msbuild /m /p:Configuration=RelWithDebInfo nsis_package_prep.vcxproj
> msbuild /m /p:Configuration=RelWithDebInfo portableapps_package.vcxproj

This might take a while

TIP

Please be patient while the package is compressed. It might take some time, even on
fast machines.

If everything went well, you will now find something like: WiresharkPortable2.9.0.paf.exe_ in the
packaging/portableapps directory.

43

Tool Reference

Introduction

This chapter will provide you with information about the various tools needed for Wireshark
development. None of the tools mentioned in this chapter are needed to run Wireshark. They are
only needed to build it.

Most of these tools have their roots on UNIX or UNIX-like platforms such as Linux, but Windows
ports are also available. Therefore the tools are available in different "flavours":

• UNIX and UNIX-like platforms: The tools should be commonly available on the supported UNIX
and UNIX-like platforms and for Windows platforms by using an emulation layer such as
Cygwin.

• Windows native: Some tools are available as native Windows tools, no special emulation is
required. Many of these tools can be installed (and updated) using Chocolatey, a Windows
package manager similar to the Linux package managers apt-get or yum.

Follow the directions

WARNING

The following sections give a very brief description of what a particular tool is doing, how it is used
in the Wireshark project and how it can be installed and tested.

Documentation for these tools is outside the scope of this document. If you need further
information on using a specific tool you should find lots of useful information on the web, as these
tools are commonly used. You can also get help for the UNIX based tools with **toolname** --help
or the man page via man **toolname**.

You will find explanations of the tool usage for some of the specific development tasks in Work with

the Wireshark sources.

Unless you know exactly what you are doing, you should strictly follow the
recommendations given in Quick Setup.

Chocolatey

Chocolatey is a Windows package manager that can be used to install (and update) many of the
packages required for Wireshark development. Chocolatey can be obtained from the website or
from a Command Prompt:

C:\>@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object
net.webclient).DownloadString(_https://chocolatey.org/install.ps1_))" && SET
PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

44

or a Powershell prompt:

PS:\>iex ((new-object
net.webclient).DownloadString(_https://chocolatey.org/install.ps1_))

Chocolatey sometimes installs packages in unexpected locations. Python is a notable example.
While it’s typically installed in a top-level directory, e.g. C:\Python27 or in %PROGRAMFILES%, e.g.

C:\Program Files\Python36, Chocolatey tends to install it under C:\ProgramData\chocolatey or
C:\Tools. If you want to avoid this behavior you’ll probabaly want to install Python using the

packages from python.org.

Windows: Cygwin

Cygwin provides a lot of UNIX based tools on the Windows platform. It uses a UNIX emulation layer
which might be a bit slower compared to the native Windows tools, but at an acceptable level. The
installation and update is pretty easy and done through a single utility, setup-x86.exe for 32-bit
Windows and setup-x86_64.exe for 64-bit Windows. However, it can also be problematic. Cygwin
utilities have a non-standard view of the filesystem, and sometimes things don’t work as expected.
For example, many files in /usr/bin are symlinks which can’t be run directly from Windows.

Cygwin is no longer required

NOTE

In the past the Wireshark development toolchain depended on Cygwin, but it it no
longer required. Although you can often use the Cygwin version of a particular tool
for Wireshark development that’s not always the case.

CMake

Wireshark’s build environment can be configured using CMake on various UNIX-like platforms,
including Linux, macOS, and *BSD, and on Windows. CMake is designed to support out-of-tree
builds - so much so that in-tree builds do not work properly in all cases. Along with being cross­platform, CMake supports many build tools and environments including traditional make, Ninja,
and MSBuild. Our Buildbot runs CMake steps on Ubuntu, Win32, Win64, and macOS. In particular,
the macOS and Windows packages are built using CMake.

Building with CMake typically includes creating a build directory and specifying a generator, aka a
build tool. For example, to build Wireshark using Ninja in the directory wireshark-ninja you might
run the following commands:

45

# Starting from your Wireshark source directory, create a build directory
# alongside it.
$ cd ..
$ mkdir wireshark-ninja
$ cd wireshark-ninja
# Assumes your source directory is named "wireshark".
$ cmake -G Ninja ../wireshark
$ ninja (or cmake --build .)

Using CMake on Windows is described further in Generate the build files.

Along with specifying a generator with the -G flag you can set variables using the -D flag. Useful
variables and generators include the following:

-DBUILD_wireshark=OFF

Don’t build the Wireshark GUI application. Each command line utility has its own BUILD_xxx
flag as well. For example, you can use -DBUILD_mmdbresolve=OFF to disable mmdbresolve.

-DENABLE_CAP=OFF

Disable the POSIX capabilities check

-DCMAKE_BUILD_TYPE=Debug

Enable debugging symbols

-DCARES_INCLUDE_DIR=/your/custom/cares/include,

-DCARES_LIBRARY=/your/custom/cares/lib/libcares.so

Let you set the path to a locally-compiled version of c-ares. Most optional libraries have
xxx_INCLUDE_DIR and xxx_LIB flags that let you control their discovery.

-DPYTHON_EXECUTABLE=c:/Python36/python

Force the Python path. Useful on Windows since Cygwin’s /usr/bin/python is a symlink.

-DENABLE_APPLICATION_BUNDLE=OFF

Disable building an application bundle (Wireshark.app) on macOS

You can list all build variables (with help) by running cmake -LH [options]

../<Name_of_WS_source_dir>. This lists the cache of build variables after the cmake run. To only view

the current cache, add option -N.

After running cmake, you can always run make help to see a list of all possible make targets.

Note that CMake honors user umask for creating directories as of now. You should set the umask
explicitly before running the install target.

CMake links:

46

The home page of the CMake project: https://cmake.org/

Official documentation: https://cmake.org/documentation/

About CMake in general and why KDE4 uses it: http://lwn.net/Articles/188693/

Introductory tutorial/presentation: http://ait.web.psi.ch/services/linux/hpc/hpc_user_cookbook/

tools/cmake/docs/Cmake_VM_2007.pdf

Introductory article in the Linux Journal: http://www.linuxjournal.com/node/6700/print

Useful variables: http://www.cmake.org/Wiki/CMake_Useful_Variables

Frequently Asked Questions: http://www.cmake.org/Wiki/CMake_FAQ

GNU compiler toolchain (UNIX and UNIX-like platforms only)

gcc (GNU compiler collection)

The GCC C compiler is available for most of the UNIX-like platforms.

If GCC isn’t already installed or available as a package for your platform, you can get it at:

http://gcc.gnu.org/.

After correct installation, typing at the bash command line prompt:

$ gcc --version

should result in something like

gcc (Ubuntu 4.9.1-16ubuntu6) 4.9.1
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Your version string may vary, of course.

gdb (GNU project debugger)

GDB is the debugger for the GCC compiler. It is available for many (if not all) UNIX-like platforms.

If you don’t like debugging using the command line there are some GUI frontends for it available,
most notably GNU DDD.

47

If gdb isn’t already installed or available as a package for your platform, you can get it at:

http://www.gnu.org/software/gdb/gdb.html.

After correct installation:

$ gdb --version

should result in something like:

GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".

Your version string may vary, of course.

ddd (GNU Data Display Debugger)

The GNU Data Display Debugger is a good GUI frontend for GDB (and a lot of other command line
debuggers), so you have to install GDB first. It is available for many UNIX-like platforms.

If GNU DDD isn’t already installed or available as a package for your platform, you can get it at:

http://www.gnu.org/software/ddd/.

make (GNU Make)

GNU make isn’t supported either for Windows

NOTE

If GNU Make isn’t already installed or available as a package for your platform, you can get it at:

http://www.gnu.org/software/make/.

After correct installation:

GNU Make is available for most of the UNIX-like platforms.

48

$ make --version

should result in something like:

GNU Make 4.0
Built for x86_64-pc-linux-gnu
Copyright (C) 1988-2013 Free Software Foundation, Inc.
Licence GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Your version string may vary, of course.

Ninja

Ninja is an alternative to make, and is available for many of the UNIX-like platforms. It runs builds
faster than make does.

It is designed to have its build files generated by tools such as CMake; to generate build files for
Ninja, run CMake with the -G Ninja flag.

If Ninja isn’t already installed, see the list of suggestions for Ninja packages at: https://github.com/

ninja-build/ninja/wiki/Pre-built-Ninja-packages.

If Ninja isn’t already installed and isn’t available as a package for your platform, you can get it
from: https://ninja-build.org. You can download the source code or binaries for Linux, macOS, and
Windows (we have not tested Ninja on Windows).

Microsoft compiler toolchain (Windows native)

To compile Wireshark on Windows using the Microsoft C/C++ compiler, you’ll need:

1. C compiler (cl.exe)

2. Assembler (ml.exe for 32-bit targets and ml64.exe for 64-bit targets)

3. Linker (link.exe)

4. Resource Compiler (rc.exe)

5. C runtime headers and libraries (e.g. stdio.h, msvcrt.lib)

6. Windows platform headers and libraries (e.g. windows.h, WSock32.lib)

7. HTML help headers and libraries (htmlhelp.h, htmlhelp.lib)

49

Official Toolchain Packages And Alternatives

The official Wireshark 2.4.x releases are compiled using Microsoft Visual C++ 2015. The Wireshark

2.2.x and 2.0.x releases are compiled using Microsoft Visual C++ 2013. The Wireshark 1.12.x and

1.10.x releases were compiled using Microsoft Visual C++ 2010 SP1. The 1.8 releases were compiled
using Microsoft Visual C++ 2010 SP1 as well. The 1.6, 1.4, and 1.2 releases were compiled using
Microsoft Visual C++ 2008 SP1. Other past releases, including the 1.0 branch, were compiled using
Microsoft Visual C++ 6.0.

Using the release compilers is recommended for Wireshark development work.

The older "Express Edition" compilers such as Visual C++ 2010 Express Edition SP1 can be used but
any PortableApps packages you create with them will require the installation of a separate Visual
C++ Redistributable package on any machine on which the PortableApps package is to be used. See

C-Runtime "Redistributable" Files below for more details.

However, you might already have a different Microsoft C++ compiler installed. It should be possible
to use any of the following with the considerations listed:

Visual C++ 2013 Community Edition

IDE + Debugger?

Yes

Purchase required?

Free Download

SDK required for 64-bit builds?

No

CMake Generator: Visual Studio 12

Visual C++ 2010 Express Edition

IDE + Debugger?

Yes

Purchase required?

Free Download

SDK required for 64-bit builds?

Yes.

CMake Generator: Visual Studio 10

Remarks

Installers created using express editions require a C++ redistributable vcredist_x86.exe (3MB free
download) is required to build Wireshark-win32-2.9.0.exe, and vcredist_x64.exe is required to

50

build Wireshark-win64-2.9.0.exe. The version of vcredist_x86.exe or vcredist_x64.exe must match
the version for your compiler including any service packs installed for the compiler.]

Visual Studio 2010

IDE + Debugger?

Yes

Purchase required?

Yes

SDK required for 64-bit builds?

No

CMake Generator: Visual Studio 10

Remarks

Building a 64-bit installer requires a a C++ redistributable (vcredist_x86.exe).footnoteref[vcredist]

You can use Chocolatey to install Visual Studio, e.g:

PS:\> choco install VisualStudioCommunity2013

cl.exe (C Compiler)

The following table gives an overview of the possible Microsoft toolchain variants and their specific
C compiler versions ordered by release date.

Compiler Package cl.exe _MSC_VER CRT DLL

Visual Studio 2015 14.0 1900 msvcr140.dll

Visual Studio 2013 12.0 1800 msvcr120.dll

Visual Studio 2012 11.0 1700 msvcr110.dll

Visual Studio 2010 10.0 1600 msvcr100.dll

After correct installation of the toolchain, typing at the Visual Studio Command line prompt
(cmd.exe):

> cl

should result in something like:

51

Microsoft (R) C/{cpp} Optimizing Compiler Version 18.00.31101 for x86
Copyright (C) Microsoft Corporation. All rights reserved.

usage: cl [ option... ] filename... [ /link linkoption...

However, the version string may vary.

Documentation on the compiler can be found at Microsoft MSDN

link.exe (Linker)

After correct installation, typing at the Visual Studio Command line prompt (cmd.exe):

> link

should result in something like:

Microsoft (R) Incremental Linker Version 12.00.31101.0
Copyright (C) Microsoft Corporation. All rights reserved.

Êusage: LINK [options] [files] [@commandfile]
Ê...

However, the version string may vary.

Documentation on the linker can be found at Microsoft MSDN

C-Runtime "Redistributable" Files

Please note: The following is not legal advice - ask your preferred lawyer instead. It’s the authors
view and this view might be wrong.

Depending on the Microsoft compiler version you use, some binary files coming from Microsoft
might be required to be installed on Windows machine to run Wireshark. On a developer machine,
the compiler setup installs these files so they are available - but they might not be available on a
user machine!

This is especially true for the C runtime DLL (msvcr*.dll), which contains the implementation of
ANSI and alike functions, e.g.: fopen(), malloc(). The DLL is named like: msvcrversion.dll, an
abbreviation for "Microsoft Visual C Runtime". For Wireshark to work, this DLL must be available
on the users machine.

Starting with MSVC7, it is necessary to ship the C runtime DLL (msvcrversion.dll) together with the
application installer somehow, as that DLL is possibly not available on the target system.

52

Make sure you’re allowed to distribute this file

NOTE

The following MSDN link is recommended for the interested reader:

• Redistributing Visual C++ Files

In all cases where vcredist_x86.exe or vcredist_x64.exe is downloaded it should be downloaded to
the directory into which the support libraries for Wireshark have been downloaded and installed.
This directory is specified by the WIRESHARK_BASE_DIR or WIRESHARK_LIB_DIR environment
variables. It need not, and should not, be run after being downloaded.

msvcr120.dll / vcredist_x86.exe / vcredist_x64.exe - Version 12.0 (2013)

There are three redistribution methods that MSDN mentions for MSVC 2013 (see: "Choosing a

Deployment Method"):

1. Using Visual C++ Redistributable Package. The Microsoft libraries are installed by copying
vcredist_x64.exe or vcredist_x86.exe to the target machine and executing it on that machine
(MSDN recommends this for applications built with Visual Studio 2013)

The files to redistribute must be mentioned in the redist.txt file of the compiler
package. Otherwise it can’t be legally redistributed by third parties like us.

2. Using Visual C++ Redistributable Merge Modules. (Loadable modules for building msi installers.
Not suitable for Wireshark’s NSIS based installer)

3. Install a particular Visual C++ assembly as a private assembly for the application. The Microsoft
libraries are installed by copying the folder content of Microsoft.VC120.CRT to the target
directory (e.g. C:\Program Files\Wireshark)

To save installer size, and to make a portable version of Wireshark (which must be completely self­contained, on a medium such as a flash drive, and not require that an installer be run to install
anything on the target machine) possible, when building 32-bit Wireshark with MSVC2013, method
3 (copying the content of Microsoft.VC120.CRT) is used (this produces the smallest package).

Windows (Platform) SDK

The Windows Platform SDK (PSDK) or Windows SDK is a free (as in beer) download and contains
platform specific headers and libraries (e.g. windows.h, WSock32.lib, etc.). As new Windows features
evolve in time, updated SDK’s become available that include new and updated APIs.

When you purchase a commercial Visual Studio or use the Community Edition, it will include an
SDK. The free Express (as in beer) downloadable C compiler versions (VC++ 2012 Express, VC++
2012 Express, etc.) do not contain an SDK — you’ll need to download a PSDK in order to have the
required C header files and libraries.

Older versions of the SDK should also work. However, the command to set the environment settings
will be different, try search for SetEnv.* in the SDK directory.

53

Documentation Toolchain

Wireshark’s documentation is split across two directories. The doc directory contains man pages
written in Perl’s POD (Plain Old Documentation) format. The docbook directory contains the User’s
Guide, Developer’s Guide, and the release notes, which are written in Asciidoctor markup.

Our various output formats are generated using the following tools. Intermediate formats are in
italics.

Guide HTML

Asciidoctor → DocBook XML → xsltproc + DocBook XSL

Guide PDF

Asciidoctor

Guide HTML Help

Asciidoctor → DocBook XML → xsltproc + DocBook XSL → HHC

Release notes HTML

Asciidoctor

Release notes text

Asciidoctor → HTML → html2text.py

Asciidoctor

Asciidoctor comes in several flavors: a Ruby gem (Asciidoctor), a Java bundle (AsciidoctorJ), and

transpiled JavaScript (Asciidoctor.js). Only the Asciidoctor and AsciidoctorJ flavors are supported
for building the Wireshark documentation and AsciidoctorJ is recommended.

The guides and release notes were originally written in DocBook (hence the directory name). They
were later converted to AsciiDoc and then migrated to Asciidoctor. compat-mode is currently enabled
for the guides, but we are steadily migrating to Asciidoctor’s modern (>= 1.5.0) syntax.

PDF output requires Asciidoctor PDF. It is included with AsciidoctorJ but not with Asciidoctor.

Xsltproc And DocBook

The single HTML, chunked HTML, and HTML Help guides are generated using DocBook XSL
stylesheets. They in turn require an XSLT processor. We use xsltproc.

HTML Help

HTML Help is used to create the User’s and Developer’s Guide in .chm format. The User’s Guide
.chm file is included with the NSIS and WiX installers and is used as Wireshark’s built-in help on
Windows.

54

This compiler is used to generate a .chm file from a bunch of HTML files — in our case to generate
the User’s and Developer’s Guide in .chm format.

The compiler is only available as the free (as in beer) "HTML Help Workshop" download. If you
want to compile the guides yourself, you need to download and install this. If you don’t install it
into the default directory, you may also have a look at the HHC_DIR setting in the file
docbook/Makefile.

The files htmlhelp.c and htmlhelp.lib are required to be able to open .chm files from Wireshark and
show the online help. Both files are part of the SDK (standalone (P)SDK or MSVC since 2002).

Debugger

Using a good debugger can save you a lot of development time.

The debugger you use must match the C compiler Wireshark was compiled with, otherwise the
debugger will simply fail or you will only see a lot of garbage.

Visual Studio integrated debugger

You can use the integrated debugger of Visual Studio if your toolchain includes it. Open the solution
in your build directory and build and debug as normal with a Visual Studio solution.

To set the correct paths for Visual Studio when running Wireshark under the debugger, add the
build output directory to the path before opening Visual Studio from the same command prompt,
e.g.

C:\Development\wsbuild32>set PATH="%PATH%;C:\Development\wsbuild32\run\RelwithDebInfo"
C:\Development\wsbuild32>wireshark.sln

for PowerShell use

PS C:\Development\wsbuild32>$env:PATH += ";$(Convert-Path run\RelWithDebInfo)"
PS C:\Development\wsbuild32>wireshark.sln

When Visual Studio has finished loading the solution, set the executable to be run in the debugger,
e.g. Executables\Wireshark, by right clicking it in the Solution Explorer window and selecting "Set
as StartUp Project". Also set the Solution Configuration (usually RelWithDebInfo) from the droplist
on the toolbar.

NOTE

Currently Visual Studio regards a command line build as incomplete, so will report
that some items need to be built when starting the debugger. These can either be
rebuilt or ignored as you wish.

55

The normal build is an optimised release version so debugging can be a bit difficult as variables are
optimised out into registers and the execution order of statements can jump around.

If you require a non-optimised version, then build using a debug configuration.

Debugging Tools for Windows

You can also use the Microsoft Debugging Tools for Windows toolkit, which is a standalone GUI
debugger. Although it’s not that comfortable compared to debugging with the Visual Studio
integrated debugger it can be helpful if you have to debug on a machine where an integrated
debugger is not available.

You can get it free of charge from Microsoft in several ways, see the Debugging tools for Windows
page.

You can also use Chocolatey to install WinDbg:

PS:\> choco install windbg

To debug Wireshark using WinDbg, open the built copy of Wireshark using the File → Open
Executable… menu, i.e. C:\Development\wsbuild32\run\RelWithDebInfo\Wireshark.exe. To set a
breakpoint open the required source file using the File → Open Source File… menu and then click
on the required line and press F9. To run the program, press F5.

If you require a non-optimised version, then build using a debug configuration, e.g. msbuild /m

/p:Configuration=Debug Wireshark.sln. The build products will be found in

C:\Development\wsbuild32\run\Debug\.

bash

The bash shell is needed to run several shell scripts.

UNIX and UNIX-like platforms: GNU Bash

Bash (the GNU Bourne-Again SHell) is available for most UNIX and UNIX-like platforms. If it isn’t
already installed or available as a package for your platform, you can get it at http://www.gnu.org/

software/bash/bash.html.

After correct installation, typing at the bash command line prompt:

$ bash --version

should result in something like:

56

GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2016 Free Software Foundation, Inc.

Your version string will likely vary.

Python

Python is an interpreted programming language. It is used to generate some source files,

documenation, and other tasks. Python 2.5 or later (including Python 3) should work fine and
Python 3 is recommended. It may be required in the future.

Python is either included or available as a package on most UNIX-like platforms. Windows packages
and source are available at http://python.org/download/. The Cygwin Python package is not
recommended since /usr/bin/python is a symbolic link, which causes confusion outside Cygwin.

You can also use Chocolatey to install Python:

PS:\> choco install Python3

or

PS:\> choco install Python2

Chocolatey installs Python into C:\tools\python3 or C:\tools\python2 by default. You can verify your
Python version by running

$ python --version

on UNIX-like platforms and

rem Official package
C:> cd python35
C:Python35> python --version

rem Chocolatey
C:> cd \tools\python3
C:\tools\python3> python --version

on Windows. You should see something like

57

Python 3.5.1

Your version string may vary of course.

Perl

Perl is an interpreted programming language. The homepage of the Perl project is

http://www.perl.com. Perl is used to convert various text files into usable source code. Perl version

5.6 and above should work fine.

UNIX and UNIX-like platforms: Perl

Perl is available for most UNIX and UNIX-like platforms. If perl isn’t already installed or available
as a package for your platform, you can get it at http://www.perl.com/.

After correct installation, typing at the bash command line prompt:

$ perl --version

should result in something like:

This is perl 5, version 26, subversion 0 (v5.26.0) built for x86_64-linux-gnu-thread­multi
(with 62 registered patches, see perl -V for more detail)

Copyright 1987-2017, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.

However, the version string may vary.

Windows Native: Perl

A native Windows Perl package can be obtained from Active State or Strawberry Perl. The
installation should be straightforward.

You may also use Chocolatey to install either package:

58

PS:\> choco install ActivePerl

or

PS:\> choco install StrawberryPerl

After correct installation, typing at the command line prompt (cmd.exe):

> perl -v

should result in something like:

This is perl, v5.8.0 built for MSWin32-x86-multi-thread
(with 1 registered patch, see perl -V for more detail)

Copyright 1987-2002, Larry Wall

Binary build 805 provided by ActiveState Corp. http://www.ActiveState.com
Built 18:08:02 Feb 4 2003
...

However, the version string may vary.

Bison

Bison is a parser generator used for some of Wireshark’s file format support.

UNIX and UNIX-like platforms: Bison

Bison is available for most UNIX and UNIX-like platforms. See the next section for native Windows
options.

If GNU Bison isn’t already installed or available as a package for your platform you can get it at:

http://www.gnu.org/software/bison/bison.html.

After correct installation running the following

$ bison --version

should result in something like:

59

bison (GNU Bison) 2.3
Written by Robert Corbett and Richard Stallman.

Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Your version string may vary.

Windows Native: Win flex-bison and bison

A native Windows version of bison is available in the winflexbison Chocolatey package. Note that
the executable is named win_bison.

Native packages are available from other sources such as GnuWin and Cygwin. They aren’t
officially supported but should work.

Flex

Flex is a lexical analyzer generator used for Wireshark’s display filters, some file formats, and other
features.

UNIX and UNIX-like platforms: flex

Flex is available for most UNIX and UNIX-like platforms. See the next section for native Windows
options.

If GNU flex isn’t already installed or available as a package for your platform you can get it at

http://www.gnu.org/software/flex/.

After correct installation running the following

$ flex --version

should result in something like:

flex version 2.5.4

Your version string may vary.

Windows Native: Win flex-bison and flex

A native Windows version of flex is available in the winflexbison Chocolatey package. Note that the

60

executable is named win_flex.

PS:\>choco install winflexbison

Native packages are available from other sources such as GnuWin. They aren’t officially supported
but should work.

Git client

The Wireshark project uses its own Git repository to keep track of all the changes done to the
source code. Details about the usage of Git in the Wireshark project can be found in The Wireshark

Git repository.

If you want to work with the source code and are planning to commit your changes back to the
Wireshark community, it is recommended to use a Git client to get the latest source files. For
detailed information about the different ways to obtain the Wireshark sources, see Obtain the

Wireshark sources.

You will find more instructions in Git over SSH or HTTPS on how to use the Git client.

UNIX and UNIX-like platforms: git

Git is available for most UNIX and UNIX-like platforms. If Git isn’t already installed or available as a
package for your platform, you can get it at: http://git-scm.com/.

After correct installation, typing at the bash command line prompt:

$ git --version

should result in something like:

git version 2.14.1

Your version will likely be different.

Windows Native: git

The Git command line tools for Windows can be found at http://git-scm.com/download/win and can
also be installed using Chocolatey:

PS:\> choco install git

61

After correct installation, typing at the command line prompt (cmd.exe):

> git --version

should result in something like:

git version 2.16.1.windows.1

However, the version string may vary.

Git Powershell Extensions (optional)

A useful tool for command line git on Windows is PoshGit. Poshgit provides git command
completion and alters the prompt to indicate the local working copy status. You can install it using
Chocolatey:

PS:\>choco install poshgit

Git GUI client (optional)

Along with the traditional command-line client, several GUI clients are available for a number of
platforms. See http://git-scm.com/downloads/guis for details.

patch (optional)

The patch utility is used to merge a diff file into your own source tree. This tool is only needed, if
you want to apply a patch (diff file) from someone else (probably from the developer mailing list) to
try out in your own private source tree.

It most cases you may not need the patch tool installed. Git and Gerrit should handle patches for
you.

You will find more instructions in Apply a patch from someone elseon how to use the patch tool.

UNIX and UNIX-like platforms: patch

Patch is available for most UNIX and UNIX-like platforms. If GNU patch isn’t already installed or
available as a package for your platform, you can get it at http://www.gnu.org/software/patch/

patch.html.

After correct installation, typing at the bash command line prompt:

62

$ patch --version

should result in something like:

patch 2.5.8
Copyright (C) 1988 Larry Wall
Copyright (C) 2002 Free Software Foundation, Inc.

This program comes with NO WARRANTY, to the extent permitted by law.
You may redistribute copies of this program
under the terms of the GNU General Public License.
For more information about these matters, see the file named COPYING.

written by Larry Wall and Paul Eggert

However, the version string may vary.

Windows native: patch

The Windows native Git tools provide patch. A native Windows patch package can be obtained
from http://gnuwin32.sourceforge.net/. The installation should be straightforward.

Windows: NSIS (optional)

The NSIS (Nullsoft Scriptable Install System) is used to generate Wireshark-win32-2.9.0.exe from all
the files needed to be installed, including all required DLLs, plugins, and supporting files.

To install it, download the latest released version from http://nsis.sourceforge.net. NSIS v3 is
required. You can also install it using Chocolatey:

PS$> choco install nsis

You can find more instructions on using NSIS in Win32: NSIS .exe installer.

Windows: PortableApps (optional)

The PortableApps.com Installer is used to generate WiresharkPortable-2.9.0.paf.exe from all the files
needed to be installed, including all required DLLs, plugins, and supporting files.

To install it, do the following:

• Download the latest PortableApps.com Platform release from http://portableapps.com/.

63

• Install the following applications in the PortableApps.com environment:

◦ PortableApps.com Installer

◦ PortableApps.com Launcher

◦ NSIS Portable (Unicode)

◦ PortableApps.com AppCompactor

You can find more instructions on using the PortableApps.com Installer in Win32: PortableApps

.paf.exe package.

64

Library Reference

Introduction

Several libraries are needed to build and run Wireshark. Most of them are split into three packages:

1. Runtime. System and third party libraries such as MSVCR110.dll and libglib-2.0-0.dll.

2. Developer. Documentation, header files, import libraries, and other files needed for compilation.

3. Source. Library sources, which are usually not required to build Wireshark.

Our libraries are freely available

All libraries required to build Wireshark on Windows are available for download at

TIP

Binary library formats

https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/ and
https://anonsvn.wireshark.org/wireshark-win64-libs/trunk/packages/. See Win32:
Automated Library Download for an easier way to install them.

Binary libraries are available in different formats, depending on the C compiler used to build it and
of course the platform they were built for.

Unix

If you have installed unix binary libraries on your system, they will match the C compiler. If not
already installed, the libraries should be available as a package from the platform installer, or you
can download and compile the source and then install the binaries.

Win32: MSVC

Most of the Win32 binary libraries you will find on the web are in this format. You will recognize
MSVC libraries by the .lib/.dll file extension.

Win32: Automated Library Download

The required libraries (apart from Qt) are automatically downloaded as part of the CMake
generation step, and subsequently as required when libraries are updated.

The libraries are downloaded into the directory indicated by the environment variable
WIRESHARK_BASE_DIR, this must be set appropriately for your environment. The libraries are
downloaded and extracted into WIRESHARK_BASE_DIR\wireshark-win32-libs and
WIRESHARK_BASE_DIR\wireshark-win64-libs for 32 and 64 bit builds respectively.

You may also directly set the library directory with the environment variable

65

WIRESHARK_LIB_DIR, but if you switch between 32 bit and 64 bit builds, the value of this must be
set appropriately.

Qt

The Qt library is used to build the UI for Wireshark and is used to provide a platform independent
UI. Wireshark can be built with Qt 5.2 or later.

For more information on the Qt libraries, see The Qt Application Framework.

Unix

Most Linux distributions provide Qt and its development libraries as standard packages. The
required libraries and tools will likely be split across several packages. For example, building on
Ubuntu requires qttools5-dev, qttools5-dev-tools, libqt5svg5-dev, qtmultimedia5-dev, and possibly
others.

The Qt Project provides an installation tool for macOS, similar to Windows. It is available at

https://www.qt.io/download-open-source/#section-2.

Win32 MSVC

Qt5 must be installed manually from the Qt installers page https://www.qt.io/download-open-

source/#section-2 using the version of Qt appropriate for your compiler. Note that separate

installations (into different directories) of Qt are required for 32 bit and 64 bit builds. The
environment variable QT5_BASE_DIR should be set as appropriate for your environment and
should point to the Qt directory that contains the bin directory, e.g. C:\Qt\5.9.5\msvc2017_64.

GLib And Supporting Libraries

The GLib library is used as a basic platform abstraction library and can be used in both CLI and GUI
applications. For a detailed description about GLib see The GLib library.

GLib depends on GNU libiconv, GNU gettext, and other libraries. You will typically not come into
contact with these while doing Wireshark development. Wireshark’s build system check for and
require both GLib and its dependencies.

Unix

The GLib library is available for most Linux distributions and UNIX flavors. If it isn’t already
installed and isn’t available as a package for your platform, you can get it at http://www.gtk.org.

Win32 MSVC

You can get the latest version at http://www.gtk.org.

66

SMI (optional)

LibSMI is used for MIB and PIB parsing and for OID resolution.

Unix

If this library isn’t already installed or available as a package for your platform, you can get it at

http://www.ibr.cs.tu-bs.de/projects/libsmi/.

Win32 MSVC

Wireshark uses the source libSMI distribution at http://www.ibr.cs.tu-bs.de/projects/libsmi/. LibSMI
is cross-compiled using MinGW32. It’s stored in the libsmi zip archive at

https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/.

c-ares (optional)

C-Ares is used for asynchronous DNS resolution. This is the primary name resolution library in
Wireshark.

Unix

If this library isn’t already installed or available as a package for your platform, you can get it at

http://c-ares.haxx.se/.

Win32 MSVC

C-Ares is cross-compiled using MinGW32 and is available at https://anonsvn.wireshark.org/

wireshark-win32-libs/trunk/packages/.

zlib (optional)

zlib is designed to be a free, general-purpose, legally unencumbered — that
is, not covered by any patents — lossless data-compression library for use
on virtually any computer hardware and operating system.

— The zlib web site, http://www.zlib.net/

Unix

This library is almost certain to be installed on your system. If it isn’t or you don’t want to use the
default library you can download it from http://www.zlib.net/.

67

Win32 MSVC

The zlib sources are downloaded from https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/

packages/ and compiled locally.

libpcap/WinPcap (optional)

Libpcap and WinPcap provide that packet capture capabilities that are central to Wireshark’s core
functionality.

Unix: libpcap

If this library isn’t already installed or available as a package for your platform, you can get it at

http://www.tcpdump.org/.

Win32 MSVC: WinPcap

You can get the “Windows packet capture library” at: https://www.winpcap.org/install/

GnuTLS (optional)

The GNU Transport Layer Security Library is used to dissect SSL and TLS protocols (aka: HTTPS).

Unix

If this library isn’t already installed or available as a package for your platform, you can get it at

https://www.gnu.org/software/gnutls/download.html.

Win32 MSVC

We provide a package cross-compiled using MinGW32 at https://anonsvn.wireshark.org/wireshark-

win32-libs/trunk/packages/.

Gcrypt

The Gcrypt Library is a low-level cryptographic library that provides support for many ciphers and
message authentication codes, such as DES, 3DES, AES, Blowfish, SHA-1, SHA-256, and others.

Unix

If this library isn’t already installed or available as a package for your platform, you can get it at

https://directory.fsf.org/wiki/Libgcrypt.

68

Win32 MSVC

Part of our GnuTLS package.

Kerberos (optional)

The Kerberos library is used to dissect Kerberos, sealed DCERPC and secureLDAP protocols.

Unix

If this library isn’t already installed or available as a package for your platform, you can get it at

http://web.mit.edu/Kerberos/dist/.

Win32 MSVC

We provide a package at https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/.

LUA (optional)

The LUA library is used to add scripting support to Wireshark.

Unix

If this library isn’t already installed or available as a package for your platform, you can get it at

http://www.lua.org/download.html.

Win32 MSVC

We provide a copy of the official package at https://anonsvn.wireshark.org/wireshark-win32-libs/

trunk/packages/.

MaxMindDB (optional)

MaxMind Inc. publishes a set of IP geolocation databases and related open source libraries. They
can be used to map IP addresses to geographical locations and other information.

If libmaxminddb library isn’t already installed or available as a package for your platform, you can
get it at https://github.com/maxmind/libmaxminddb.

We provide a package for Windows at https://anonsvn.wireshark.org/wireshark-win32-libs/trunk/

packages/.

69

WinSparkle (optional)

WinSparkle is an easy-to-use software update library for Windows developers.

Win32 MSVC

We provide a copy of the WinSparkle package at https://anonsvn.wireshark.org/wireshark-win32-

libs/trunk/packages/.

70

Wireshark Development

Wireshark Development

The second part describes how the Wireshark sources are structured and how to change the
sources such as adding a new dissector.

71

How Wireshark Works

Introduction

This chapter will give you a short overview of how Wireshark works.

Overview

The following will give you a simplified overview of Wireshark’s function blocks:

72

Figure 1. Wireshark function blocks

The function blocks in more detail:

GUI

Handling of all user input/output (all windows, dialogs and such). Source code can be found in

73

the ui/qt directory.

Core

Main "glue code" that holds the other blocks together. Source code can be found in the root
directory.

Epan

Enhanced Packet ANalyzer — the packet analyzing engine. Source code can be found in the epan
directory. Epan provides the following APIs:

• Protocol Tree. Dissection information for an individual packet.

• Dissectors. The various protocol dissectors in epan/dissectors.

• Dissector Plugins - Support for implementing dissectors as separate modules. Source code
can be found in plugins.

• Display Filters - The display filter engine at epan/dfilter.

Wiretap

The wiretap library is used to read and write capture files in libpcap, pcapng, and many other
file formats. Source code is in the wiretap directory.

Capture

The interface with the capture engine. Source code is in the root directory.

Dumpcap

The capture engine itself. This is the only part that is to execute with elevated privileges. Source
code is in the root directory.

WinPcap and libpcap

These are separate libraries that provide packet capture and filtering support on different
platforms. The filtering WinPcap and libpcap works at a much lower level than Wireshark’s
display filters and uses a significantly different mechanism. That’s why we have different
display and capture filter syntaxes.

Capturing packets

Capturing takes packets from a network adapter and saves them to a file on your hard disk.

Since raw network adapter access requires elevated privileges these functions are isolated into the

dumpcap program. It’s only this program that needs these privileges, allowing the main part of the

code (dissectors, user interface, etc) to run with normal user privileges.

To hide all the low-level machine dependent details from Wireshark, the libpcap and WinPcap (see

libpcap/WinPcap (optional)) libraries are used. These libraries provide a general purpose interface

to capture packets and are used by a wide variety of applications.

74

Capture Files

Wireshark can read and write capture files in its natural file formats, pcapng and pcap, which are
used by many other network capturing tools, such as tcpdump. In addition to this, as one of its
strengths, Wireshark can read and write files in many different file formats of other network
capturing tools. The wiretap library, developed together with Wireshark, provides a general
purpose interface to read and write all the file formats. If you need to add support for another
capture file format this is the place to start.

Dissect packets

While Wireshark is loading packets from a file each packet is dissected. Wireshark tries to detect
the packet type and gets as much information from the packet as possible. In this run though, only
the information shown in the packet list pane is needed.

As the user selects a specific packet in the packet list pane this packet will be dissected again. This
time, Wireshark tries to get every single piece of information and put it into the packet details pane.

75

Introduction

Source overview

Wireshark consists of the following major parts:

• Packet dissection - in the /epan/dissector and /plugin/\* directories

• File I/O - using Wireshark’s own wiretap library

• Capture - using the libpcap/winpcap library, in /wiretap

• User interface - using Qt and associated libraries

• Utilities - miscellaneous helper code

• Help - using an external web browser and text output

Coding Style

The coding style guides for Wireshark can be found in the "Code style" section of the file
doc/README.developer.

The GLib library

GLib is used as a basic platform abstraction library. It doesn’t provide any direct GUI functionality.

To quote the GLib Reference Manual:

GLib provides the core application building blocks for libraries and
applications written in C. It provides the core object system used in GNOME,
the main loop implementation, and a large set of utility functions for strings
and common data structures.

GLib contains lots of useful things for platform independent development. See

https://developer.gnome.org/glib/ for details about GLib.

76

Packet capturing

This chapter needs to be reviewed and extended.

How to add a new capture type to libpcap

The following is an updated excerpt from a developer mailing list mail about adding ISO 9141 and
14230 (simple serial line card diagnostics) to Wireshark:

For libpcap, the first thing you’d need to do would be to get DLT_* values for all the link-layer
protocols you’d need. If ISO 9141 and 14230 use the same link-layer protocol, they might be able to
share a DLT_* value, unless the only way to know what protocols are running above the link layer is
to know which link-layer protocol is being used, in which case you might want separate DLT_*
values.

For the rest of the libpcap discussion, I’ll assume you’re working with libpcap 1.0 or later and that
this is on a UN*X platform. You probably don’t want to work with a version older than 1.0, even if
whatever OS you’re using happens to include libpcap - older versions are not as friendly towards
adding support for devices other than standard network interfaces.

Then you’d probably add to the pcap_open_live() routine, for whatever platform or platforms this
code should work, something such as a check for device names that look like serial port names and,
if the check succeeds, a call to a routine to open the serial port.

See, for example, the #ifdef HAVE_DAG_API code in pcap-linux.c and pcap-bpf.c.

The serial port open routine would open the serial port device, set the baud rate and do anything
else needed to open the device. It’d allocate a pcap_t, set its fd member to the file descriptor for the
serial device, set the snapshot member to the argument passed to the open routine, set the linktype
member to one of the DLT_* values, and set the selectable_fd member to the same value as the fd
member. It should also set the dlt_count member to the number of DLT_* values to support, and
allocate an array of dlt_count u_int`s, assign it to the `dlt_list member, and fill in that list with
all the DLT_* values.

You’d then set the various _*_op fields to routines to handle the operations in question. read_op is
the routine that’d read packets from the device. inject_op would be for sending packets; if you don’t
care about that, you’d set it to a routine that returns an error indication. setfilter_op can probably
just be set to install_bpf_program. set_datalink would just set the linktype member to the specified
value if it’s one of the values for OBD, otherwise it should return an error. getnonblock_op can
probably be set to pcap_getnonblock_fd. setnonblock_op can probably be set to pcap_setnonblock_fd.

stats_op would be set to a routine that reports statistics. close_op can probably be set to
pcap_close_common.

If there’s more than one DLT_* value, you definitely want a set_datalink routine so that the user can

77

select the appropriate link-layer type.

For Wireshark, you’d add support for those DLT_* values to wiretap/libpcap.c, which might mean
adding one or more WTAP_ENCAP types to wtap.h and to the encap_table[] table in wiretap/wtap.c.
You’d then have to write a dissector or dissectors for the link-layer protocols or protocols and have
them register themselves with the wtap_encap dissector table, with the appropriate WTAP_ENCAP
values by calling dissector_add_uint().

Extcap: Developer Guide

The extcap interface is a versatile plugin interface that allows external binaries to act as capture
interfaces directly in Wireshark. It is used in scenarios, where the source of the capture is not a
traditional capture model (live capture from an interface, from a pipe, from a file, etc). The typical
example is connecting esoteric hardware of some kind to the main Wireshark app.

Without extcap, a capture can always be achieved by directly writing to a capture file:

Bash example for traditional capture with a capture file.

$ the-esoteric-binary --the-strange-flag --interface=stream1 --file dumpfile.pcap &
$ wireshark dumpfile.pcap

but the extcap interface allows for such a connection to be easily established and configured using
the Wireshark GUI.

The extcap subsystem is made of multiple extcap binaries that are automatically called by the GUI
in a row. In the following chapters we will refer to them as "the extcaps".

Extcaps may be any binary or script within the extcap directory. Please note, that scripts need to be
executable without prefacing a script interpreter before the call.

Windows Users Because of restrictions directly calling the script may not

IMPORTANT

always work. In such a case, a batch file may be provided, which then in
turn executes the script. Please refer to Execute a script-based extcap on

Windows for more information.

Extcap command line interface

The actual capture is run after a setup process that can be made manually by the user or
automatically by the GUI. All the steps performed are done for every extcap.

Let’s go through those steps.

78

Query for available interfaces

In the first step the extcap is queried for its interfaces.

$ extcapbin --extcap-interfaces

This call must print the existing interfaces for this extcap and must return 0. The output must
conform to the grammar specified for extcap, and it is specified in the doc/extcap.4 generated man
page (in the build dir).

Since Wireshark 2.9 this call is extended with --extcap-version x.x, which will allways represent
the calling Wireshark’s version information. This can be used to change behavior depending on the
Wireshark version in question.

Example call for interface query

$ extcap_examply.py --extcap-interfaces --extcap-version 3.0
extcap {version=1.0}{help=Some help url}
interface {value=example1}{display=Example interface 1 for extcap}
interface {value=example2}{display=Example interface 2 for extcap}

The version for the extcap sentence (which may exist as many times as is needed, but only the last
one will be used) will be used for displaying the version information of the extcap interface in the
about dialog of Wireshark.

The value for each interface will be used in subsequent calls as the interface name IFACE.

Using the help argument, an interface may provide a generic help URL for the extcap utility.

Ask for DLT’s to each interface

The extcap binary is queried for all valid DLTs for all the interfaces returned by step 1.

$ extcap_examply.py --extcap-dlts --extcap-interface IFACE

This call must print the valid DLTs for the interface specified. This call is made for all the interfaces
and must return 0.

Example for the DLT query

$ extcap_examply.py --extcap-interface IFACE --extcap-dlts
dlt {number=147}{name=USER1}{display=Demo Implementation for Extcap}

A binary or script, which neither provides an interface list or a DLT list will not show up in the

79

extcap interfaces list.

The extcap configuration interface

The extcap binary is asked for the configuration of a specific interface

$ extcap_examply.py --extcap-interface IFACE --extcap-config

Each interface can have custom options that are valid for this interface only. Those config options
are specified on the command line when running the actual capture. To allow an end-user to
specify certain options, such options may be provided using the extcap config argument.

To share which options are available for an interface, the extcap responds to the command --extcap

-config, that shows all the available options (aka additional command line options).

Those options are automatically presented via a dialog to the user for the individual interface.

Example for interface options

$ extcap_examply.py --extcap-interface IFACE --extcap-config
arg {number=0}{call=--delay}{display=Time delay}{tooltip=Time delay between
packages}{type=integer}{range=1,15}{required=true}
arg {number=1}{call=--message}{display=Message}{tooltip=Package message
content}{placeholder=Please enter a message here ...}{type=string}
arg {number=2}{call=--verify}{display=Verify}{tooltip=Verify package
content}{type=boolflag}
arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel
Selector}{type=selector}
arg {number=4}{call=--server}{display=IP address for log
server}{type=string}{validation=\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0­9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b}
value {arg=3}{value=if1}{display=Remote1}{default=true}
value {arg=3}{value=if2}{display=Remote2}{default=false}

Now the user can click on the options and change them. They are sent to the extcap when the
capture is launched.

There are three kind of options available:

Flag

boolflag for instance expects the option to be present resulting in the corresponding entry set to
true, false otherwise

Value

are value based options and each expect a single value via the command-line call

80

Selection

are selections and can be presented multiple times in the command line. Both expect subsequent
"value" items in the config list, with the corresponding argument selected via arg

The capture process

Once the interfaces are listed and configuration is customized by the user the capture is started.

$ extcap_examply.py --extcap-interface IFACE [params] --capture [--extcap-capture­filter CFILTER]
Ê --fifo FIFO

To run the capture, the extcap must implement the --capture, --extcap-capture-filter and --fifo
option.

They are automatically added by Wireshark that opens the fifo for reading. All the other options
are automatically added to run the capture. The extcap interface is used like all other interfaces
(meaning that capture on multiple interfaces, as well as stopping and restarting the capture is
supported).

Execute a script-based extcap on Windows

To use scripts on Windows, please generate an <scriptname>.bat inside the extcap folder, with the
following content (in this case for a Python-based extcap utility):

@echo off
<Path to python interpreter> <Path to script file> %*

Windows is not able to execute most scripts directly (Powershell being an exception), which also
goes for all other script-based formats besides VBScript and PowerShell

Extcap Arguments

The extcap interface provides the possibility for generating a GUI dialog to set and adapt settings
for the extcap binary.

All options must provide a number, by which they are identified. No NUMBER may be provided twice.
Also all options must present the elements CALL and DISPLAY, where call provides the arguments
name on the command-line and display the name in the GUI.

Additionally TOOLTIP and PLACEHOLDER may be provided, which will give the user an explanation
within the GUI, about what to enter into this field.

These options do have types, for which the following types are being supported:

81

INTEGER, UNSIGNED, LONG, DOUBLE

This provides a field for entering a numeric value of the given data type. A DEFAULT value may
be provided, as well as a RANGE

arg {number=0}{call=--delay}{display=Time delay}{tooltip=Time delay between
packages}{type=integer}{range=1,15}{default=0}

STRING

Let the user provide a string to the capture

arg {number=1}{call=--server}{display=IP Address}{tooltip=IP Address for log
server}{type=string}{validation=\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0­9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b}

validation allows to provide a regular expression string, which is used to check the user input

for validity beyond normal data type or range checks. Back-slashes must be escaped (as in \\b for
\b)

PASSWORD

Let the user provide a masked string to the capture. Password strings are not saved, when the
extcap configuration is being saved

arg {number=0}{call=--password}{display=The user password}{tooltip=The password for
the connection}{type=password}

BOOLEAN, BOOLFLAG

This provides the possibility to set a true/false value. BOOLFLAG values will only appear in the
command-line if set to true, otherwise they will not be added to the command-line call for the
extcap interface

arg {number=2}{call=--verify}{display=Verify}{tooltip=Verify package
content}{type=boolflag}

FILESELECT

Let the user provide a filepath to the capture. If MUSTEXIST is being provided, the GUI checks if
the file exists.

arg {number=3}{call=--logfile}{display=Logfile}{tooltip=A file for log
messages}{type=fileselect}{mustexist=false}

82

SELECTOR, RADIO, MULTICHECK

Optionfields, where the user may choose one or more options from. If PARENT is provided for
the value items, the option fields for MULTICHECK and SELECTOR are being presented in a tree­like structure. SELECTOR and RADIO values must present a default value, which will be the
value provided to the extcap binary for this argument

arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel
Selector}{type=selector}
value {arg=3}{value=if1}{display=Remote1}{default=true}
value {arg=3}{value=if2}{display=Remote2}{default=false}

Reload a selector

A selector may be reloaded from the configuration dialog of the extcap application within
Wireshark. With the reload argument (defaults to false), the entry can be marked as reloadable.

arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel
Selector}{type=selector}{reload=true}{placeholder=Load interfaces...}

After this has been defined, the user will get a button displayed in the configuration dialog for this
extcap application, with the text "Load interfaces…" in this case, and a generic "Reload" text if no
text has been provided.

The extcap utility is then called again with all filled out arguments and the additional parameter

--extcap-reload-option <option_name>. It is expected to return a value section for this option, as it

would during normal configuration. The provided option list is then presented as the selection, a
previous selected option will be reselected if applicable.

Validation of arguments

Arguments may be set with {required=true} which enforces a value being provided, before a
capture can be started using the extcap options dialog. This is not being checked, if the extcap is
started via a simple double-click. The necessary fields are marked for the customer, to ensure a
visibility for the end customer of the required argument.

Additionally text and number arguments may also be checked using a regular expression, which is
provided using the validation attribute (see example above). The syntax for such a check is the
same as for Qt RegExp classes. This feature is only active in the Qt version of Wireshark.

Toolbar Controls

An extcap utility can provide configuration for controls to use in an interface toolbar. These
controls are bidirectional and can be used to control the extcap utility while capturing.

83

This is useful in scenarios where configuration can be done based on findings in the capture
process, setting temporary values or give other inputs without restarting the current capture.

Example of interface definition with toolbar controls

$ extcap_example.py --extcap-interfaces
extcap {version=1.0}{display=Example extcap interface}
interface {value=example1}{display=Example interface 1 for extcap}
interface {value=example2}{display=Example interface 2 for extcap}
control {number=0}{type=string}{display=Message}{tooltip=Package message content. Must
start with a capital letter.}{validation=[A-Z]+}{required=true}
control {number=1}{type=selector}{display=Time delay}{tooltip=Time delay between
packages}
control {number=2}{type=boolean}{display=Verify}{default=true}{tooltip=Verify package
content}
control {number=3}{type=button}{display=Turn on}{tooltip=Turn on or off}
control {number=4}{type=button}{role=logger}{display=Log}{tooltip=Show capture log}
value {control=1}{value=1}{display=1 sec}
value {control=1}{value=2}{display=2 sec}{default=true}

All controls will be presented as GUI elements in a toolbar specific to the extcap utility. The extcap
must not rely on using those controls (they are optional) because of other capturing tools not using
GUI (e.g. tshark, tfshark).

Controls

The controls are similar to the ARGUMENTS, but without the CALL element. All controls may be
given a default value at startup and most can be changed during capture, both by the extcap and
the user (depending on the type of control).

All controls must provide a NUMBER, by which they are identified. No NUMBER may be provided
twice. Also all options must present the elements TYPE and DISPLAY, where TYPE provides the type
of control to add to the toolbar and DISPLAY the name in the GUI.

Additionally TOOLTIP and PLACEHOLDER may be provided, which will give the user an
explanation within the GUI.

All controls, except from the logger, help and restore buttons, may be disabled (and enabled) in GUI
by the extcap during capture. This can be because of set-once operations, or operations which takes
some time to complete.

All control values which are changed by the user (not equal to the default value) will be sent to the
extcap utility when starting a capture. The extcap utility may choose to discard initial values and
set new values, depending on implementation.

These TYPEs are defined as controls:

84

BOOLEAN

This provides a checkbox with the possibility to set a true/false value.

The extcap utility can set a default value at startup, and can change (set) and receive value
changes while capturing. When starting a capture the GUI will send the value if different from
the default value.

The payload is one byte with binary value 0 or 1.

Valid Commands: Set value, Enable, Disable.

BUTTON

This provides a button with different ROLEs:

CONTROL

This button will send a signal when pressed. This is the default if no role is configured. The
button is only enabled when capturing.

The extcap utility can set the button text at startup, and can change (set) the button text and
receive button press signals while capturing. The button is disabled and the button text is
restored to the default text when not capturing.

The payload is either the button text or empty (signal).

Valid Commands: Set value, Enable, Disable.

LOGGER

This provides a logger mechanism where the extcap utility can send log entries to be
presented in a log window. This communication is unidirectional.

The payload is the log entry, and should be ended with a newline. Maximum length is 65535
bytes.

Valid Commands: Set log entry, Add log entry.

The Set command will clear the log before adding the entry.

HELP

This button opens the help page, if configured. This role has no controls and will not be used
in communication.

Valid Commands: NONE.

RESTORE

This button will restore all control values to default. This role has no controls and will not be
used in communication. The button is only enabled when not capturing.

85

Valid Commands: NONE.

SELECTOR

This provides a combo box with fixed values which can be selected.

The extcap utility can set default values at startup, and add and remove values and receive
change in value selection while capturing. When starting a capture the GUI will send the value if
different from the default value.

The payload is a string with the value, and optionally a string with a display value if this is
different from the value. This two string values are separated by a null character.

Valid Commands: Set selected value, Add value, Remove value, Enable, Disable.

If value is empty the Remove command will remove all entries.

STRING

This provides a text edit line with the possibility to set a string or any value which can be
represented in a string (integer, float, date, etc.).

The extcap utility can set a default string value at startup, and can change (set) and receive value
changes while capturing. When starting a capture the GUI will send the value if different from
the default value.

The payload is a string with the value. Maximum length is 32767 bytes.

Valid Commands for control: Set value, Enable, Disable.

The element VALIDATION allows to provide a regular expression string, which is used to check
the user input for validity beyond normal data type or range checks. Back-slashes must be
escaped (as in \\b for \b).

Messages

In addition to the controls it’s possible to send a single message from the extcap utility to the user.
This message can be put in the status bar or displayed in a information, warning or error dialog
which must be accepted by the user. This message does not use the NUMBER argument so this can
have any value.

Control Protocol

The protocol used to communicate over the control pipes has a fixed size header of 6 bytes and a
payload with 0 - 65535 bytes.

Table 2. Control packet:

Sync Pipe Indication (1 byte)

86

Message Length

(3 bytes network order)

Control Number (1 byte)

Command (1 byte)

Payload

(0 - 65535 bytes)

Sync Pipe Indication:

The common sync pipe indication. This protocol uses the value 'T'.

Message Length:

Payload length + 2 bytes for control number and command.

Control Number:

Unique number to identify the control. This number also gives the order of the
controls in the interface toolbar.

Table 3. Commands and application for controls

Command

Command Name Control type

Byte

0 Initialized none

1 Set boolean / button / logger / selector / string

2 Add logger / selector

3 Remove selector

4 Enable boolean / button / selector / string

5 Disable boolean / button / selector / string

6 Statusbar message none

7 Information message none

8 Warning message none

9 Error message none

Payload Length:

The length of the following payload. Maximum length is 65535 bytes.

The Initialized command will be sent from the GUI to the extcap utility when all user changed
control values are sent after starting a capture. This is an indication that the GUI is ready to receive
control values.

87

The GUI will only send Initialized and Set commands. The extcap utility shall not send the

Initialized command.

Messages with unknown control number or command will be silently ignored.

88

Packet dissection

How it works

Each dissector decodes its part of the protocol, and then hands off decoding to subsequent
dissectors for an encapsulated protocol.

Every dissection starts with the Frame dissector which dissects the packet details of the capture file
itself (e.g. timestamps). From there it passes the data on to the lowest-level data dissector, e.g. the
Ethernet dissector for the Ethernet header. The payload is then passed on to the next dissector (e.g.
IP) and so on. At each stage, details of the packet will be decoded and displayed.

Dissection can be implemented in two possible ways. One is to have a dissector module compiled
into the main program, which means it’s always available. Another way is to make a plugin (a
shared library or DLL) that registers itself to handle dissection.

There is little difference in having your dissector as either a plugin or built-in. On the Windows
platform you have limited function access through the ABI exposed by functions declared as
WS_DLL_PUBLIC.

The big plus is that your rebuild cycle for a plugin is much shorter than for a built-in one. So
starting with a plugin makes initial development simpler, while the finished code may make more
sense as a built-in dissector.

Read README.dissector

NOTE

The file doc/README.dissector contains detailed information about implementing a
dissector. In many cases it is more up to date than this document.

Adding a basic dissector

Let’s step through adding a basic dissector. We’ll start with the made up "foo" protocol. It consists of
the following basic items.

• A packet type - 8 bits, possible values: 1 - initialisation, 2 - terminate, 3 - data.

• A set of flags stored in 8 bits, 0x01 - start packet, 0x02 - end packet, 0x04 - priority packet.

• A sequence number - 16 bits.

• An IPv4 address.

Setting up the dissector

The first decision you need to make is if this dissector will be a built-in dissector, included in the
main program, or a plugin.

89

Plugins are the easiest to write initially, so let’s start with that. With a little care, the plugin can be
made to run as a built-in easily too so we haven’t lost anything.

Example 1. Dissector Initialisation.

#include "config.h"

#include <epan/packet.h>

#define FOO_PORT 1234

static int proto_foo = -1;

void
proto_register_foo(void)
{
Ê proto_foo = proto_register_protocol (
Ê "FOO Protocol", /* name */
Ê "FOO", /* short name */
Ê "foo" /* abbrev */
Ê );
}

Let’s go through this a bit at a time. First we have some boilerplate include files. These will be
pretty constant to start with.

Next we have an int that is initialised to -1 that records our protocol. This will get updated when we
register this dissector with the main program. It’s good practice to make all variables and functions
that aren’t exported static to keep name space pollution down. Normally this isn’t a problem unless
your dissector gets so big it has to span multiple files.

Then a #define for the UDP port that carries foo traffic.

Now that we have the basics in place to interact with the main program, we’ll start with two
protocol dissector setup functions.

First we’ll call proto_register_protocol() which registers the protocol. We can give it three names
that will be used for display in various places. The full and short name are used in e.g. the
"Preferences" and "Enabled protocols" dialogs as well as the generated field name list in the
documentation. The abbreviation is used as the display filter name.

Next we need a handoff routine.

90

Example 2. Dissector Handoff.

void
proto_reg_handoff_foo(void)
{
Ê static dissector_handle_t foo_handle;

Ê foo_handle = create_dissector_handle(dissect_foo, proto_foo);
Ê dissector_add_uint("udp.port", FOO_PORT, foo_handle);
}

What’s happening here? We are initialising the dissector. First we create a dissector handle; It is
associated with the foo protocol and with a routine to be called to do the actual dissecting. Then we
associate the handle with a UDP port number so that the main program will know to call us when it
gets UDP traffic on that port.

The standard Wireshark dissector convention is to put proto_register_foo() and

proto_reg_handoff_foo() as the last two functions in the dissector source.

Now at last we get to write some dissecting code. For the moment we’ll leave it as a basic
placeholder.

Example 3. Dissection.

static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *data
_U_)
{
Ê col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO");
Ê /* Clear out stuff in the info column */
Ê col_clear(pinfo->cinfo,COL_INFO);

Ê return tvb_captured_length(tvb);
}

This function is called to dissect the packets presented to it. The packet data is held in a special
buffer referenced here as tvb. We shall become fairly familiar with this as we get deeper into the
details of the protocol. The packet info structure contains general data about the protocol, and we
can update information here. The tree parameter is where the detail dissection takes place.

For now we’ll do the minimum we can get away with. In the first line we set the text of this to our
protocol, so everyone can see it’s being recognised. The only other thing we do is to clear out any
data in the INFO column if it’s being displayed.

91

At this point we should have a basic dissector ready to compile and install. It doesn’t do much at
present, other than identify the protocol and label it.

In order to compile this dissector and create a plugin a couple of support files are required, besides
the dissector source in packet-foo.c:

• CMakeLists.txt - Contains the CMake file and version info for this plugin.

• packet-foo.c - Your dissector source.

• plugin.rc.in - Contains the DLL resource template for Windows. (optional)

You can find a good example for these files in the gryphon plugin directory. CMakeLists.txt has to be
modified with the correct plugin name and version info, along with the relevant files to compile. In
the main top-level source directory, copy CMakeListsCustom.txt.example to CMakeListsCustom.txt
and add the path of your plugin to the list in CUSTOM_PLUGIN_SRC_DIR.

Compile the dissector to a DLL or shared library and either run Wireshark from the build directory
as detailed in Run generated Wireshark or copy the plugin binary into the plugin directory of your
Wireshark installation and run that.

Dissecting the details of the protocol

Now that we have our basic dissector up and running, let’s do something with it. The simplest thing
to do to start with is to just label the payload. This will allow us to set up some of the parts we will
need.

The first thing we will do is to build a subtree to decode our results into. This helps to keep things
looking nice in the detailed display.

Example 4. Plugin Packet Dissection.

static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{

Ê col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO");
Ê /* Clear out stuff in the info column */
Ê col_clear(pinfo->cinfo,COL_INFO);

Ê proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);

Ê return tvb_captured_length(tvb);
}

What we’re doing here is adding a subtree to the dissection. This subtree will hold all the details of

92

this protocol and so not clutter up the display when not required.

We are also marking the area of data that is being consumed by this protocol. In our case it’s all that
has been passed to us, as we’re assuming this protocol does not encapsulate another. Therefore, we
add the new tree node with proto_tree_add_item(), adding it to the passed in tree, label it with the
protocol, use the passed in tvb buffer as the data, and consume from 0 to the end (-1) of this data.
ENC_NA ("not applicable") is specified as the "encoding" parameter.

After this change, there should be a label in the detailed display for the protocol, and selecting this
will highlight the remaining contents of the packet.

Now let’s go to the next step and add some protocol dissection. For this step we’ll need to construct
a couple of tables that help with dissection. This needs some additions to the proto_register_foo()
function shown previously.

Two statically allocated arrays are added at the beginning of proto_register_foo(). The arrays are
then registered after the call to proto_register_protocol().

93

Example 5. Registering data structures.

void
proto_register_foo(void)
{
Ê static hf_register_info hf[] = {
Ê { &hf_foo_pdu_type,
Ê { "FOO PDU Type", "foo.type",
Ê FT_UINT8, BASE_DEC,
Ê NULL, 0x0,
Ê NULL, HFILL }
Ê }
Ê };

Ê /* Setup protocol subtree array */
Ê static gint *ett[] = {
Ê &ett_foo
Ê };

Ê proto_foo = proto_register_protocol (
Ê "FOO Protocol", /* name */
Ê "FOO", /* short name */
Ê "foo" /* abbrev */
Ê );

Ê proto_register_field_array(proto_foo, hf, array_length(hf));
Ê proto_register_subtree_array(ett, array_length(ett));
}

The variables hf_foo_pdu_type and ett_foo also need to be declared somewhere near the top of the
file.

Example 6. Dissector data structure globals.

static int hf_foo_pdu_type = -1;

static gint ett_foo = -1;

Now we can enhance the protocol display with some detail.

94

Example 7. Dissector starting to dissect the packets.

Ê proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);
Ê proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo);
Ê proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, 0, 1, ENC_BIG_ENDIAN);

Now the dissection is starting to look more interesting. We have picked apart our first bit of the
protocol. One byte of data at the start of the packet that defines the packet type for foo protocol.

The proto_item_add_subtree() call has added a child node to the protocol tree which is where we
will do our detail dissection. The expansion of this node is controlled by the ett_foo variable. This
remembers if the node should be expanded or not as you move between packets. All subsequent
dissection will be added to this tree, as you can see from the next call. A call to

proto_tree_add_item() in the foo_tree, this time using the hf_foo_pdu_type to control the formatting

of the item. The pdu type is one byte of data, starting at 0. We assume it is in network order (also
called big endian), so that is why we use ENC_BIG_ENDIAN. For a 1-byte quantity, there is no order
issue, but it is good practice to make this the same as any multibyte fields that may be present, and
as we will see in the next section, this particular protocol uses network order.

If we look in detail at the hf_foo_pdu_type declaration in the static array we can see the details of the
definition.

• hf_foo_pdu_type - The index for this node.

• FOO PDU Type - The label for this item.

• foo.type - This is the filter string. It enables us to type constructs such as foo.type=1 into the filter

box.

• FT_UINT8 - This specifies this item is an 8bit unsigned integer. This tallies with our call above
where we tell it to only look at one byte.

• BASE_DEC - For an integer type, this tells it to be printed as a decimal number. It could be
hexadecimal (BASE_HEX) or octal (BASE_OCT) if that made more sense.

We’ll ignore the rest of the structure for now.

If you install this plugin and try it out, you’ll see something that begins to look useful.

Now let’s finish off dissecting the simple protocol. We need to add a few more variables to the
hfarray, and a couple more procedure calls.

Example 8. Wrapping up the packet dissection.

...
static int hf_foo_flags = -1;
static int hf_foo_sequenceno = -1;

95

static int hf_foo_initialip = -1;
...

static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
Ê gint offset = 0;

Ê ...
Ê proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);
Ê proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo);
Ê proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1,
ENC_BIG_ENDIAN);
Ê offset += 1;
Ê proto_tree_add_item(foo_tree, hf_foo_flags, tvb, offset, 1, ENC_BIG_ENDIAN);
Ê offset += 1;
Ê proto_tree_add_item(foo_tree, hf_foo_sequenceno, tvb, offset, 2,
ENC_BIG_ENDIAN);
Ê offset += 2;
Ê proto_tree_add_item(foo_tree, hf_foo_initialip, tvb, offset, 4,
ENC_BIG_ENDIAN);
Ê offset += 4;
Ê ...

Ê return tvb_captured_length(tvb);
}

void
proto_register_foo(void) {
Ê ...
Ê ...
Ê { &hf_foo_flags,
Ê { "FOO PDU Flags", "foo.flags",
Ê FT_UINT8, BASE_HEX,
Ê NULL, 0x0,
Ê NULL, HFILL }
Ê },
Ê { &hf_foo_sequenceno,
Ê { "FOO PDU Sequence Number", "foo.seqn",
Ê FT_UINT16, BASE_DEC,
Ê NULL, 0x0,
Ê NULL, HFILL }
Ê },
Ê { &hf_foo_initialip,
Ê { "FOO PDU Initial IP", "foo.initialip",
Ê FT_IPv4, BASE_NONE,
Ê NULL, 0x0,
Ê NULL, HFILL }

96

Ê },
Ê ...
Ê ...
}
...

This dissects all the bits of this simple hypothetical protocol. We’ve introduced a new variable
offsetinto the mix to help keep track of where we are in the packet dissection. With these extra bits
in place, the whole protocol is now dissected.

Improving the dissection information

We can certainly improve the display of the protocol with a bit of extra data. The first step is to add
some text labels. Let’s start by labeling the packet types. There is some useful support for this sort of
thing by adding a couple of extra things. First we add a simple table of type to name.

Example 9. Naming the packet types.

static const value_string packettypenames[] = {
Ê { 1, "Initialise" },
Ê { 2, "Terminate" },
Ê { 3, "Data" },
Ê { 0, NULL }
};

This is a handy data structure that can be used to look up a name for a value. There are routines to
directly access this lookup table, but we don’t need to do that, as the support code already has that
added in. We just have to give these details to the appropriate part of the data, using the VALS
macro.

Example 10. Adding Names to the protocol.

Ê { &hf_foo_pdu_type,
Ê { "FOO PDU Type", "foo.type",
Ê FT_UINT8, BASE_DEC,
Ê VALS(packettypenames), 0x0,
Ê NULL, HFILL }
Ê }

This helps in deciphering the packets, and we can do a similar thing for the flags structure. For this
we need to add some more data to the table though.

97

Example 11. Adding Flags to the protocol.

#define FOO_START_FLAG 0x01
#define FOO_END_FLAG 0x02
#define FOO_PRIORITY_FLAG 0x04

static int hf_foo_startflag = -1;
static int hf_foo_endflag = -1;
static int hf_foo_priorityflag = -1;

static int
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
Ê ...
Ê ...
Ê static const int* bits[] = {
Ê &hf_foo_startflag,
Ê &hf_foo_endflag,
Ê &hf_foo_priorityflag
Ê };

Ê proto_tree_add_bitmask(foo_tree, tvb, offset, hf_foo_flags, ett_foo, bits,
ENC_BIG_ENDIAN);
Ê offset += 1;
Ê ...
Ê ...
Ê return tvb_captured_length(tvb);
}

void
proto_register_foo(void) {
Ê ...
Ê ...
Ê { &hf_foo_startflag,
Ê { "FOO PDU Start Flags", "foo.flags.start",
Ê FT_BOOLEAN, 8,
Ê NULL, FOO_START_FLAG,
Ê NULL, HFILL }
Ê },
Ê { &hf_foo_endflag,
Ê { "FOO PDU End Flags", "foo.flags.end",
Ê FT_BOOLEAN, 8,
Ê NULL, FOO_END_FLAG,
Ê NULL, HFILL }
Ê },
Ê { &hf_foo_priorityflag,
Ê { "FOO PDU Priority Flags", "foo.flags.priority",

98

Ê FT_BOOLEAN, 8,
Ê NULL, FOO_PRIORITY_FLAG,
Ê NULL, HFILL }
Ê },
Ê ...
Ê ...
}
...

Some things to note here. For the flags, as each bit is a different flag, we use the type FT_BOOLEAN, as
the flag is either on or off. Second, we include the flag mask in the 7th field of the data, which
allows the system to mask the relevant bit. We’ve also changed the 5th field to 8, to indicate that we
are looking at an 8 bit quantity when the flags are extracted. Then finally we add the extra
constructs to the dissection routine.

This is starting to look fairly full featured now, but there are a couple of other things we can do to
make things look even more pretty. At the moment our dissection shows the packets as "Foo
Protocol" which whilst correct is a little uninformative. We can enhance this by adding a little more
detail. First, let’s get hold of the actual value of the protocol type. We can use the handy function

tvb_get_guint8() to do this. With this value in hand, there are a couple of things we can do. First we

can set the INFO column of the non-detailed view to show what sort of PDU it is - which is
extremely helpful when looking at protocol traces. Second, we can also display this information in
the dissection window.

99