Easily Adding Custom Dissectors to CloudShark

2 min read

It’s no secret that CloudShark uses tshark to generate the data we use in the CloudShark database, resulting in what you see when you view a capture in the CloudShark viewer. CloudShark sorts and caches this information to make it faster and easier for you to get to the information you need, when you need it.

The added advantage of using tshark is that all of the most recent dissectors published in the latest versions of Wireshark can be used in CloudShark immediately without any additional work. But what about those of you out there who have custom protocols they want to analyze - in the mobile industry for example?

CloudShark Enterprise allows users to provide a custom version of tshark with their own dissectors built in. This enables end users to use their own proprietary protocol decodes with CloudShark. Its also a lot easier to maintain a single CloudShark server than maintain individual Wireshark installs across an organization. Unfortunately, writing custom dissectors for Wireshark is not always easy.

Recently, however, we learned about Protomatics. Protomatics is an innovative provider of products and solutions that accelerate communication software development by automating message parser creation. They’ve developed a formal notation message description language, called TSN.1 (Transfer Syntax Notation One), that combines information bits and encoding bits of a message in a single notation.

The magic of TSN.1 is that it can automatically create code that Wireshark (and hence, tshark) will understand and be able to use as a custom dissector. This can be used as a custom dissector plugin or integrated into a custom Wireshark build. It’s the latter that you’ll want to use for CloudShark: just compile a new custom version of tshark on your CloudShark Enterprise appliance, and you’re good to go!

Check out Protomatics when you get a chance. Very cool stuff for the esoteric world we live in of computer networking and packet capture.

Get articles like this in your inbox: