How to build a Wireshark plug-in

Posted on 29 April, 2008 by Simeon

I was developing a Wireshark plug-in over the last week, and I wanted to document all the steps it took to get it really really working…

First off, I have to give a large credit to Ken Thompson’s CodeProject howto, this was a fantastic write-up, and is the basis of my notes.

The goals for my plug-in are:

  • Dissect a private protocol used in our product. Aka the plug-in is intended for developer/support personnel only
  • Must work against the current downloadable Wireshark build

My differences from Ken’s notes are:

  1. You must use Visual Studio 6.0 if you want your plug-in to work with the official build
  2. I found that Ken’s list of Cygwin requirements was not complete, and the 
    nmake –f Makefile.nmake setup

    step was trying to download extra packages. To get out past the work firewall I had to add

    set HTTP_PROXY=server_name:port

    to my Cygwin.bat

  3. I also had some problems with non-existing group-policy paths in the PATH environment variable messing with setting up the VCVARS32.bat, so I added this line to reset the PATH 
    set path=%SystemRoot%system32

    in the Cygwin.bat before the VCVARS.bat line

  4. I based my dissector on the agentx plug-in. 
    pluginsagentx*
  5. Borrowed how flags are done from the IP and UDP dissectors 
    epandissectorspacket-ip.cepandissectorspacket-udp.c
  6. Borrowed how to make the dissector match many UDP ports, based on how HTTP uses prefs_register_range_preference. 
    epandissectorspacket-http.c

It’s been a fantastic learning experience, lots of banging my head against C code rules, but the output has been very useful.

This entry was posted in Programming. Bookmark the permalink.

5 Responses to How to build a Wireshark plug-in

  1. sam says:
    15 May, 2008 at 1:51 am

    Hi!
    I am a student in France, I am in internship for 4mois;
    my 1st mission is to develop a plugin that decodes a Protocol used in the company.
    I have installed all the development environment of wireshark
    But I do not know how to begin. !!!!!!!!!!

    Thank you for your help

    Reply
  2. Simeon says:
    15 May, 2008 at 10:25 am

    Hello Sam,

    Well if you have Wireshark building, start by capturing some packets, and decode them as you see them. That’s how I did it.

    Reply
  3. sam says:
    21 May, 2008 at 9:56 pm

    Hi Simeon,
    Thank you for your council
    I have advanced a little in my project, I wish you aware if I would have a problem if it bothers you not.

    Reply
  4. Manoj says:
    8 July, 2010 at 4:08 am

    Hi,

    I am using VS2008 C++ express to build the code
    I had installed Cygwin on my machine
    But when i run this command in CMD ” nmake –f Makefile.nmake setup” it is throwing error saying unrecognized command “nmake” ?

    Any guess ??
    do i need to install anything else.

    Manoj.

    Reply
    • Simeon says:
      9 July, 2010 at 9:12 pm

      Hello Manoj,

      If you do a window search for “nmake” in your “Program Files” directory you should find atleast one, if not many copies. Go one level higher up, and you should see a batch file “vcvarsall.bat” this is what you want run to setup your paths for that Visual Studio install.

      Simeon

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>