Page 1 of 1

How to write a decode over ethernet

Posted: Thu Jun 03, 2010 10:44 am
by Spacepacket
So you write a protocol that runs over Ethernet, and you would like to see it in OmniPeek as a real decode (instead of just hex). It is easy to do, and there are many reasons to do it.

Most people don't realize how valuable and productive it is to have a decoder for their protocol until they have one. Then they are like, how did I get anything done before, and why did I wait so long.

Here is how to do it:

First, create a new file in the OmniPeek\Decodes folder.

Next, open the file in an editor, and add the following decoder code to it.

Code: Select all

// Sample decoder to hook into ethernet layer
// Assumes your protocol type is 0x9999

// This is the name to print
str# EProto::Names_Str;
      0x9999 | My Protocol;
   
// This is the function to call
str# Ether::Branching_3_Str;
      0x9999 | MyProto::Main;
   
// Custom Decoder

void MyProto::Main()
{
        // new layer
        LABL( 0, 0, 0, 0xb1, "My Protocol" );
      
        // consume 1 byte, store in g[1]
        DBYT( 0, g[1], 0x90, 0xc2, "1 byte:");
   
        // consume 2 bytes, store in g[2]
        DWRD( 0, g[2], 0x90, 0xc2, "2 bytes:");
   
        // consume 4 bytes, store in g[3]
        DLNG( 0, g[3], 0x90, 0xc2, "4 bytes:");
   
        if (g[1] == 0)
        {
               MyProto::Sub1();
        }

        if (g[1] == 1)
        {
                MyProto::Sub2();
        }
}         

   
void MyProto::Sub1()
{
        LABL( 0, 0, 0, 0xb1, "Sub1 Layer" );
        // add code to decode more fields
}


void MyProto::Sub2()
{
        LABL( 0, 0, 0, 0xb1, "Sub2 Layer" );
        // add code to decode more fields
}


Now change the two instances of 0x9999 in the str# entries to whatever your protocol type is.

Finally, save the file, restart OmniPeek, and open a trace file containing packets of your protocol type.

When you select one of your packets, the decoder view should display a layer called "My Protocol" over the Ethernet layer.

The key to hooking a decode into the ethernet layer are the two str# entries at the top. These entries are defined and used in the manager.dcd file to branch from the ethernet layer to other layers. To add new entries to these str# entries we simply declare them again, and add new entries. In this case, the branch, or function to call if the ethernet type is 0x9999 is the MyProto::Main() function. From there, we can do anything we want. The rest of the code is just a sample which you can change and extend.

For more information about the decoder language go here:

https://mypeek.wildpackets.com/document ... /index.php

Of course, if you have any questions, just post them to this forum.

RE: How to write a decode over ethernet

Posted: Tue Sep 06, 2011 12:39 am
by dipinika
Is there a way to connect ethernet cable to computer without having to restart computer? I play ps3 online. To do this i need to take out the ethernet from the back of my computer and plug it into my ps3. When i want to reconnect ethernet cable to my computer, i always have to restart my computer and modem for the internet to work again. This is a lot of hassle because my computer takes long to start up.
____________________________
external keyword tool ~ keyworddiscovery.com ~ keycompete.com ~ compete.com ~ webmasterworld.com