Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: Re: [Ethereal-users] Newbie Dissector question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: LEGO <luis.ontanon@xxxxxxxxx>
Date: Thu, 7 Apr 2005 19:56:38 +0200
read comments  in line

On Apr 7, 2005 5:54 PM, linux lover <linux_lover2004@xxxxxxxxx> wrote:
> 
> Hi all,
>        I am newbie in ethereal anylyzing code. I read
> README.developer and found some info regarding
> dissector_add that its prototype must be of form
> 
> dissector_add("PARENT_SUBFIELD", ID_VALUE,
> PROTOABBREV_handle);
> 
>          Then i check packet-ip.c for understanding
> that and found alot of that calls
> dissector_add("ethertype", ETHERTYPE_IP, ip_handle);

IP over ethernet

>         dissector_add("ppp.protocol", PPP_IP, ip_handle);

IP over PPP

>         dissector_add("ppp.protocol", ETHERTYPE_IP,
> ip_handle);

a different way to do IP over PPP (?)

>         dissector_add("gre.proto", ETHERTYPE_IP, ip_handle);

IP over (cisco) Generic Router Encaapsulation as GRE

>         dissector_add("gre.proto", GRE_WCCP, ip_handle);

IP over (cisco) Generic Router Encaapsulation when used for WCCP

>         dissector_add("llc.dsap", SAP_IP, ip_handle);
IP over LLC

>         dissector_add("ip.proto", IP_PROTO_IPIP, ip_handle);
IP over IP

>         dissector_add("null.type", BSD_AF_INET, ip_handle);
IP over .... a null socket type????

>         dissector_add("chdlctype", ETHERTYPE_IP, ip_handle);
IP over ????
>         dissector_add("osinl.excl", NLPID_IP, ip_handle);
IP over  OSI Network Layer???
>         dissector_add("fr.ietf", NLPID_IP, ip_handle);
IP over Frame Relay

>         dissector_add("x.25.spi", NLPID_IP, ip_handle);
IP over X.25

>         dissector_add("arcnet.protocol_id",
> ARCNET_PROTO_IP_1051, ip_handle);
>         dissector_add("arcnet.protocol_id",
> ARCNET_PROTO_IP_1201, ip_handle);
IP over ARCNET

>         Why does each dissector functions required in
> packet-ip.c? Does that mean no. of protocols that can
> give packet data handle to IP protocol? If that is the
> case then why ICMP handoff has
>  dissector_add("ip.proto", IP_PROTO_ICMP,
> icmp_handle);
this is the common ICMP over IP
>   dissector_add("wtap_encap", WTAP_ENCAP_RAW_ICMP,
> icmp_handle);

>             First one is ok that ICMP packet processed
> IP header and then giving data part to ICMP but what
> is other thing wtap_encap?
This I realy do not know, it might well be ICMP found raw in a pcap
file by wiretap.

>        Also why proto_reg_handoff_ip has
>         dissector_add_handle("udp.port", ip_handle);
IP over UDP (used for experimental userplane stacks)
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube