Programming

How to build a Wireshark plug-in

I was developing a Wireshark plug-in over the last week, and I wanted to document all the steps it took to get it really really working…

First off, I have to give a large credit to Ken Thompson’s CodeProject howto, this was a fantastic write-up, and is the basis of my notes.

The goals for my plug-in are:

  • Dissect a private protocol used in our product. Aka the plug-in is intended for developer/support personnel only
  • Must work against the current downloadable Wireshark build

My differences from Ken’s notes are:

  1. You must use Visual Studio 6.0 if you want your plug-in to work with the official build

  2. I found that Ken’s list of Cygwin requirements was not complete, and the
    nmake –f Makefile.nmake setup

    step was trying to download extra packages. To get out past the work firewall I had to add
    set HTTP_PROXY=server_name:port

to my Cygwin.bat
  1. I also had some problems with non-existing group-policy paths in the PATH environment variable messing with setting up the VCVARS32.bat, so I added this line to reset the PATH
    set path=%SystemRoot%system32
in the Cygwin.bat before the VCVARS.bat line

  1. I based my dissector on the agentx plug-in.
    pluginsagentx*

  2. Borrowed how flags are done from the IP and UDP dissectors
    epandissectorspacket-ip.cepandissectorspacket-udp.c

  3. Borrowed how to make the dissector match many UDP ports, based on how HTTP uses prefs_register_range_preference.
    epandissectorspacket-http.c

It’s been a fantastic learning experience, lots of banging my head against C code rules, but the output has been very useful.

Comments:

sam 2008-05-15 01:51:58

Hi!
I am a student in France, I am in internship for 4mois;
my 1st mission is to develop a plugin that decodes a Protocol used in the company.
I have installed all the development environment of wireshark
But I do not know how to begin. !!!!!!!!!!

Thank you for your help

Simeon 2008-05-15 10:25:38

Hello Sam,

Well if you have Wireshark building, start by capturing some packets, and decode them as you see them. That’s how I did it.

sam 2008-05-21 21:56:59

Hi Simeon,
Thank you for your council
I have advanced a little in my project, I wish you aware if I would have a problem if it bothers you not.

Manoj 2010-07-08 04:08:59

Hi,

I am using VS2008 C++ express to build the code
I had installed Cygwin on my machine
But when i run this command in CMD “ nmake –f Makefile.nmake setup” it is throwing error saying unrecognized command “nmake” ?

Any guess ??
do i need to install anything else.

Manoj.

Simeon 2010-07-09 21:12:50

Hello Manoj,

If you do a window search for “nmake” in your “Program Files” directory you should find atleast one, if not many copies. Go one level higher up, and you should see a batch file “vcvarsall.bat” this is what you want run to setup your paths for that Visual Studio install.

Simeon

Michael 2012-02-08 09:28:59

Hi Simeon,

Will possibly need your experience and help here.
I’m a DSP programmer over years. I’ve bumped into a problem of writing some wireshark dissector plugin. My current environment for that is x86 Windows, and it is far from my “native” coding environment. I have VS2008 C++ express (may download 2010 express if required).
Now, I’ve reviewed the material on the Net dealing with building wireshark dissectors and found it a bit complicated. My question is: is there any simple way to compile a plugin dll in the VS, without all this cygwin stuff and wireshark source compiling? If yes, could you please write briefly how to. If not, what is the simplest way of building the plugin?

Thanks,
Michael

Simeon 2012-02-08 09:45:26

Hi Michael,

I’ve not build a Wireshark plugin for a few years, so I’m not sure if things have progressed from were they were.

It might make for an interesting weekend project to start from scratch and update this guide…

Michael 2012-02-08 11:47:08

I would not suggest you to mess with this stuff on a weekend: there are plenty of things that might be a bit more interesting :). But if you find some time for this, well, I will appreciate that deeply.

Michael.

Keivan 2012-02-24 09:55:33

Hi Simon,

I need to analyze some packets data(mostly HTTP) in real time. Do you suggest that I write a plugin and run it in the Wireshark environment or write a real time exporter (a MIME? a proxy dll? … ) and connect it to my program?

Thanks in advance,
Keivan

Simeon 2012-02-27 10:05:05

You could try using the pcap library to capture/review log. If your control the client then a proxy might give you better control. Not really done this..

Sid Price 2012-07-11 13:24:24

I would love to be able to write, compiler, and debug a dissector for a proprietary protocol my client has, however I would also love to simply write and debug it using VS 2008 or 2010 and not have to build Wireshark or install Cygwin.

Is this now possible?
Sid

Simeon 2012-07-11 13:28:46

I’ve not looked into this since Michael asked back in February

Sid Price 2012-07-11 13:35:17

It would be really good to be able to develop just the dissectors with Visual Studio without the need for Cygwin and building Wireshark.
Sid.

Bruce Sutherland 2013-02-27 19:13:32

For people looking for a quick and easy way to get started with dissectors, you can use Lua to develop dissectors now. No development environment required. Just fire up your text editor, and run WireShark with -X lua_script:my_dissector.lua, or copy the .lua file to the WireShark plugins directory.

You can also use the Tools > Lua menu and paste your script in there for debugging.

Some documentation here: http://wiki.wireshark.org/Lua/Dissectors

Simeon 2013-02-27 19:27:09

Wow thanks for that info, we use Lua at work for a ad-hoc data log viewer, so I imagine that would much more easy to use. Now I’m temped to give it a try.

arihant 2013-03-02 02:44:37

Hi Simeon,
I am working for a company in India (intern) to create a dissector for their proprietary protocol. It’s been 5 days, I’ve not even set up the build environment. My manager is going mad. I am following the codeproject tutorial written by ken.
cygwin takes light years to install. what are those packages sufficient to run wireshark dissector?a nd tortoise svn also does not work to download sources. Can u suggest any other method..
another thing ..should i code in lua environment.how easy would it be than coding in c?
can you refer some good tutorials regarding this(building plugin for WS with an example protocol).
please reply soon.thanx :)

Simeon 2013-03-02 09:05:59

Hi Arihant,

If SVN is slow, pull down a pre-bundled bz2 file of the source for the latest release.
If Cygwin is slow to install, you might be pointing to a mirror that is not close to you, and/or you internet link is way too slow.

Lua/C is a hard call, are you solid in C then maybe it would work well for you, if your protocol is crazy complete then C might be best.

I must admit that 5 day just to install Cygwin and Wireshark soruce does seem a little long. As for what packages you need in Cygwin, when you run the ‘configure’ script you’ll find out what packages you are missing, then re-run the Cygwin installer and add those packages.