Overview:

This tutorial describes a method to add Layer 2 protocol dissection to Ethereal. This method was tested on ethereal version 0.8.19. Notes are given for Wireshark 0.99.5 where changes need to be made, but these have not been tested by the author.

Ethereal's Protocol Dissector:

Ethereal’s protocol dissector plug-in API was designed with Layer 3 protocols in mind. Implementation of a Layer 2 protocol dissector in Ethereal is not as straight forward as a Layer 3 protocol dissector plug-in. Dissecting Layer 2 messages in Ethereal requires modification to Ethereal’s source code. There is more than one type of Layer 2 message header structure. For the sake of simplicity, this article will deal only with adding detection for a new Layer 2 protocol that uses an LLC/SNAP header with a unique OUI (Organizational Unit Identifier). Similiar modifications to Ethereal's code would need to be made for other Layer2 header types.

Although Ethereal supports plug-ins, they can not be used directly for Layer 2 protocols because Ethereal only recognizes LLC/SNAP headers for Ethernet, AppleTalk and Cisco. Instead, Ethereal’s source code needs to be modified to allow additional Layer 2 SNAP headers to be recognized. From that modified code we will be able to call a standard Ethereal plug-in to dissect the packet. This will make it difficult to use newer versions of Ethereal since the newer version source code will need to be modified as well. In the future Ethereal may add better support for handling new Layer 2 protocols using only a plug-in.

See Figure 1 below for a flowchart of the basic operation of Ethereal's packet capture a dissection processes.

Figure 1, Flowchart of basic Ethereal Layer 2 dissection.

Continue....