How do you test a Wireshark dissector?

Question

When you write a dissector for Wireshark, how do you test it? Looking for the visual output in the UI is not sufficient for a none-trivial protocol.

Is there a good way for unit testing of the dissector?

EDIT:

The structure of protocol frames is dynamic. The dissector must somehow interpret the content.

For example if the fifth field is one a byte array follows as sixth field. If it's two you have a double array and if it's three you have to add a zero terminated string.

This usually never happens in a daily work capture. That's why you need a synthetic capture data even with "impossible" content.

Answer 1

You can use something like Scapy or PacketSender to generate test packets.

Answer 2

To test a Wireshark dissector I found this useful:

• Define a set of packets that the dissector should analyse including malformed packets
• Implement the packets as a hex dump
• Define the expected output
• For each packet dump
  • Generate pcap files with text2pcap
  • Run the dissector with tshark
  • Extract the payload from the PDML output of tshark
  • Compare the XML output with the expected XML output

This can be improved by filtering the XML output since the PDML also includes the packet bytes, what can be annoying if the payload is large or/and complex.

The suggested arguments to the wireshark executables are

text2pcap -T 1024,9876 foo.txt foo.pcap
tshark -T pdml -r "foo.pcap"

To extract the dissector output it's useful to use an XPATH expression with the .NET CLR class XmlNode. This can be done e.g. this way:

XmlNode output = tsharkOutput.SelectSingleNode("packet/proto[@name='foo']");
XmlNodeList refList = referenceDocument.SelectNodes("proto[@name='foo']");