Wireshark-dev: Re: [Wireshark-dev] Detecting Protocol Headers
From: "Guy Harris" <guy@xxxxxxxxxxxx>
Date: Mon, 9 Mar 2009 23:40:56 -0700 (PDT)
Rayne wrote: > Replies below in blue. They all look black to me (I'm currently reading this with webmail, and it's not showing any colors - it's just showing it as plain text; don't assume that, if you use HTML mail or other rich text mail features, that it'll show up in everybody's mail - some people may use mail readers that just show plain text). > I also have one other question: What happens when in the process of > dissecting a packet, you encounter a protocol that is not recognized? What > happens to that packet? It gets dissected, like any other packet. The unrecognized protocol data will probably just be shown as a line saying "Data". > Points 1 to 4 are the criteria for whether to include a protocol in the > list of heuristic dissectors of another protocol? Points 1 through 4 are the criteria for whether the author of a dissector for one protocol will write code, in the proto_reg_handoff_ routine for that dissector module, to register that dissector in the list of heuristic dissectors for another protocol. (I.e., these criteria apply to humans writing dissectors, not to Wireshark itself.) > So in reality, every packet has its own protocol tree that is built as > protocols are dissected. So 2 packets may have very different protocol > trees? Yes. Those two packets could look very differently, *even if they contain the same set of protocols (e.g., one DNS-over-UDP-over-IP-over-Ethernet packet could have different fields from another DNS-over-UDP-over-IP-over-Ethernet packet). > Isn't this quite taxing for the system, because the system would > have to keep track of all these protocol trees until the packets are > completely dissected and the memory for the trees can be released? No. The protocol tree is freed as soon as Wireshark is done with it. If you click on a packet, a protocol tree is constructed, and used to show the dissection in the packet detail pane. If you click on another packet, the old protocol tree is freed, and a new protocol tree is constructed for that packet. If you then click on the original packet, it's re-dissected and the protocol tree is reconstructed. > What is > the purpose of building a protocol tree for every packet? Just to display > that information for the user? To display the information for the user, to evaluate display filter expressions or color filter expressions or..., to output the packet in PDML, etc. > > Where can I find an example where dissect-protocol() is called? > > What do you mean by "dissect-protocol()"? > > For example "dissect_ip()", "dissect_gtp()" etc. Dissectors are usually not called directly; they're either called through a dissector table, or a heuristic dissector list, or a dissector handle. There are some cases where they're called directly, usually because some extra information has to be passed to them (such as the SCSI dissector routines). What is it you're looking for there?
- References:
- Re: [Wireshark-dev] Detecting Protocol Headers
- From: Rayne
- Re: [Wireshark-dev] Detecting Protocol Headers
- Prev by Date: Re: [Wireshark-dev] Detecting Protocol Headers
- Next by Date: Re: [Wireshark-dev] Detecting Protocol Headers
- Previous by thread: Re: [Wireshark-dev] Detecting Protocol Headers
- Next by thread: Re: [Wireshark-dev] Detecting Protocol Headers
- Index(es):