How to write a decode over ethernet

A place for developers to exchange information about extending OmniPeek, and ask technical questions about plugins on MyPeek, scripting, and programming.
Posts: 78
Joined: Thu May 22, 2008 9:36 am

How to write a decode over ethernet

Postby Spacepacket » Thu Jun 03, 2010 10:44 am

So you write a protocol that runs over Ethernet, and you would like to see it in OmniPeek as a real decode (instead of just hex). It is easy to do, and there are many reasons to do it.

Most people don't realize how valuable and productive it is to have a decoder for their protocol until they have one. Then they are like, how did I get anything done before, and why did I wait so long.

Here is how to do it:

First, create a new file in the OmniPeek\Decodes folder.

Next, open the file in an editor, and add the following decoder code to it.

Code: Select all

// Sample decoder to hook into ethernet layer
// Assumes your protocol type is 0x9999

// This is the name to print
str# EProto::Names_Str;
      0x9999 | My Protocol;
// This is the function to call
str# Ether::Branching_3_Str;
      0x9999 | MyProto::Main;
// Custom Decoder

void MyProto::Main()
        // new layer
        LABL( 0, 0, 0, 0xb1, "My Protocol" );
        // consume 1 byte, store in g[1]
        DBYT( 0, g[1], 0x90, 0xc2, "1 byte:");
        // consume 2 bytes, store in g[2]
        DWRD( 0, g[2], 0x90, 0xc2, "2 bytes:");
        // consume 4 bytes, store in g[3]
        DLNG( 0, g[3], 0x90, 0xc2, "4 bytes:");
        if (g[1] == 0)

        if (g[1] == 1)

void MyProto::Sub1()
        LABL( 0, 0, 0, 0xb1, "Sub1 Layer" );
        // add code to decode more fields

void MyProto::Sub2()
        LABL( 0, 0, 0, 0xb1, "Sub2 Layer" );
        // add code to decode more fields

Now change the two instances of 0x9999 in the str# entries to whatever your protocol type is.

Finally, save the file, restart OmniPeek, and open a trace file containing packets of your protocol type.

When you select one of your packets, the decoder view should display a layer called "My Protocol" over the Ethernet layer.

The key to hooking a decode into the ethernet layer are the two str# entries at the top. These entries are defined and used in the manager.dcd file to branch from the ethernet layer to other layers. To add new entries to these str# entries we simply declare them again, and add new entries. In this case, the branch, or function to call if the ethernet type is 0x9999 is the MyProto::Main() function. From there, we can do anything we want. The rest of the code is just a sample which you can change and extend.

For more information about the decoder language go here: ... /index.php

Of course, if you have any questions, just post them to this forum.

Posts: 1
Joined: Mon Aug 29, 2011 10:35 pm

RE: How to write a decode over ethernet

Postby dipinika » Tue Sep 06, 2011 12:39 am

Is there a way to connect ethernet cable to computer without having to restart computer? I play ps3 online. To do this i need to take out the ethernet from the back of my computer and plug it into my ps3. When i want to reconnect ethernet cable to my computer, i always have to restart my computer and modem for the internet to work again. This is a lot of hassle because my computer takes long to start up.
external keyword tool ~ ~ ~ ~

Return to “Developers”

Who is online

Users browsing this forum: No registered users and 2 guests