wireshark抓包，协议全部显示为unknown是怎么回事

Posted 2023-03-28

协议没有启用

全部启用,OK

参考技术A For libpcap, the first thing you’d need to do would be to get DLT_* values for all the link-layer protocols you’d need. If ISO 9141 and 14230 use the same link-layer protocol, they might be able to share a DLT_* value, unless the only way to know what protocols are running above the link layer is to know which link-layer protocol is being used, in which case you might want separate DLT_* values.
For the rest of the libpcap discussion, I’ll assume you’re working with libpcap 1.0 or later and that this is on a UN*X platform. You probably don’t want to work with a version older than 1.0, even if whatever OS you’re using happens to include libpcap - older versions are not as friendly towards adding support for devices other than standard network interfaces.
Then you’d probably add to the pcap_open_live() routine, for whatever platform or platforms this code should work, something such as a check for device names that look like serial port names and, if the check succeeds, a call to a routine to open the serial port.
See, for example, the #ifdef HAVE_DAG_API code in pcap-linux.c and pcap-bpf.c.
The serial port open routine would open the serial port device, set the baud rate and do anything else needed to open the device. It’d allocate a pcap_t, set its fd member to the file descriptor for the serial device, set the snapshot member to the argument passed to the open routine, set the linktype member to one of the DLT_* values, and set the selectable_fdmember to the same value as the fd member. It should also set the dlt_count member to the number of DLT_* values to support, and allocate an array of dlt_count u_int+s, assign it to the +dlt_list member, and fill in that list with all the DLT_* values.
You’d then set the various *_op fields to routines to handle the operations in question. read_op is the routine that’d read packets from the device. inject_op would be for sending packets; if you don’t care about that, you’d set it to a routine that returns an error indication. setfilter_op can probably just be set to install_bpf_program. set_datalink would just set the linktype member to the specified value if it’s one of the values for OBD, otherwise it should return an error. getnonblock_op can probably be set to pcap_getnonblock_fd. setnonblock_op can probably be set to pcap_setnonblock_fd. stats_op would be set to a routine that reports statistics. close_op can probably be set to pcap_close_common.
If there’s more than one DLT_* value, you definitely want a set_datalink routine so that the user can select the appropriate link-layer type.
For Wireshark, you’d add support for those DLT_* values to wiretap/libpcap.c, which might mean adding one or more WTAP_ENCAP types to wtap.h and to the encap_table[] table in wiretap/wtap.c. You’d then have to write a dissector or dissectors for the link-layer protocols or protocols and have them register themselves with the wtap_encap dissector table, with the appropriate WTAP_ENCAP values by calling dissector_add_uint().

为啥我用wireshark抓包结果全是乱码

为什么我用wireshark抓包结果全是乱码

参考技术A 这个很正常。除非基于文本的协议，其他的都是无法阅读的。追问

可我看教程里都不是啊。那这个看不懂软件还有什么用。

追答

教程里面说了传输什么协议的吗？如果是文本协议的，并且是英文的，那右边hex显示区当然显示字符了。这个软件重点是看第二个栏目，有各种解析器解析具体协议的，第三个只不过给需要看的人看，比如对对16进制之类的。不是工具没用，是使用工具的人不懂。