Using the Cafu Wireshark dissector

In a recent News announcement I presented a dissector for Wireshark that one can use to study and analyze the Cafu Engine network protocol. (I currently use it to aid the development of the Cafu Component Systems, about which I'll post more information soon.)

However, what I haven't but should have done at this time, is add some information on the key steps to actually use that dissector: As I found out at the beginning at this week, the necessary setup is not particularly complicated once you know how to do it, but if you still don't, it can take a while to search the web for all required information:

  1. The first step after you've installed Wireshark is to "install" the Cafu Wireshark dissector as well. This is easily done by copying the dissector file into the user's Wireshark plugins directory. For example, from the Cafu repository's root directory on my Windows 7 system, this command does the job:
    copy Ca3DE\wireshark-cafu.lua
    c:\Users\Carsten\AppData\Roaming\Wireshark\plugins\
    Make sure to manually create the plugins subdirectory beforehand, if necessary.

  2. Under Windows, Wireshark cannot capture packets from the loopback device directly, which is required in order to capture the network traffic in single player sessions on the local machine. Instead, we have to use the RawCap.exe program from http://www.netresec.com/?page=RawCap. When RawCap.exe is started, it will capture all packets from the loopback device into a dump file. While RawCap is running, we also run the Cafu Engine in order to record the network traffic. When you're done with Cafu, also quit RawCap with Ctrl+C, then start Wireshark to analyze the file that has been written by RawCap.

  3. In Wireshark, a useful filter expression for reducing the view to Cafu Engine related network packets only is
    udp.port == 30000 or udp.port == 33000